[jira] [Reopened] (SOLR-14071) Untrusted configsets shouldn't be allowed to use directive

Robert Muir (Jira) Thu, 12 Dec 2019 15:30:34 -0800


     [ 
https://issues.apache.org/jira/browse/SOLR-14071?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Muir reopened SOLR-14071:
--------------------------------
      Assignee: Ishan Chattopadhyaya

this says it is a resolved 8.4 blocker, but it was committed after Adrien 
branched for release: wasn't backported to {{branch_8_4}}. 

> Untrusted configsets shouldn't be allowed to use <lib> directive
> ----------------------------------------------------------------
>
>                 Key: SOLR-14071
>                 URL: https://issues.apache.org/jira/browse/SOLR-14071
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Ishan Chattopadhyaya
>            Priority: Blocker
>             Fix For: 8.4
>
>          Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> Allowing untrusted configsets, i.e. those have been uploaded using the 
> configset upload API without authx enabled, to use the <lib> directive can 
> open up possibilities for malicious users to include insecure contribs 
> libraries.
> Whoever wants to use their own libraries can add them to the classpath of 
> Solr (i.e. place them wherever solr-core-*jar resides). For them, the <lib> 
> directive won't be necessary anyway.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Reopened] (SOLR-14071) Untrusted configsets shouldn't be allowed to use directive

Reply via email to