[
https://issues.apache.org/jira/browse/SOLR-14015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris M. Hostetter resolved SOLR-14015.
---------------------------------------
Resolution: Fixed
{quote}See SOLR-14020 for an explanation. ...
{quote}
Ah, ok ... Got it – i didn't realize before (from just skimming all the recent
Jira summaries) how how the SecurityManager changes could have broken (low
level JDK internal) access to /dev/urandom lik this.
linking & re-resolvoing
> remove blanket filesystem read access from solr-tests.policy
> ------------------------------------------------------------
>
> Key: SOLR-14015
> URL: https://issues.apache.org/jira/browse/SOLR-14015
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Assignee: Robert Muir
> Priority: Major
> Fix For: 8.4
>
> Attachments: SOLR-14015.patch
>
>
> The lucene policy is strict and specifies only specific locations.
> Unfortunately currently the solr policy allows read to ALL FILES
> The tests shouldn't be able to read anywhere, e.g. my .ssh/ directory or
> whatever.
> It is a necessary painful step to eventually eliminate directory traversal
> attacks, etc.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
