[
https://issues.apache.org/jira/browse/SOLR-14049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17068276#comment-17068276
]
Marcus Eagan commented on SOLR-14049:
-------------------------------------
I would like to see this change happen.
In an ideal state, not only should config APIs be disabled by default, they
should only work if auth is enabled. Cannot rely on firewalls alone. The
problem there is that then this change becomes an ease-of-use impediment that
we do not want to introduce. Hmmm... Security vs Usability.
> Disable Config APIs by default
> ------------------------------
>
> Key: SOLR-14049
> URL: https://issues.apache.org/jira/browse/SOLR-14049
> Project: Solr
> Issue Type: Improvement
> Reporter: Ishan Chattopadhyaya
> Priority: Major
>
> Spin off from SOLR-13978. This is not my proposal (I support this only
> conditionally), I'm just opening the JIRA.
> Proposal is to do this by 8.4. Reason is that Config APIs have been used in
> the past to invoke RCE vulnerabilities in some components of Solr.
> The discussion has happened in SOLR-13978. I am willing to do the work once
> we have agreement on this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
