[
https://issues.apache.org/jira/browse/SOLR-16776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718008#comment-17718008
]
David Smiley commented on SOLR-16776:
-------------------------------------
+1 to a System property.
But why have dual levels of configuration -- node level and
configSet/collection level? It makes explaining how to enable it more
complicated than it should be. I'm highly dubious someone would want to enable
this only on certain collections. Maybe both layers for backwards
compatibility for now... possibly with a simplification in v10? We could make
the configSet level a no-op -- ignored except for a warning if you try to
change it.
As for the name of the system property, there is no standard naming approach
for System properties across Solr; it's a mis-mash of styles, as you know. I
*really* dislike the "sentence.with.period.in.between.words.style". I propose
here "solr.enableRemoteStreaming" or just "enableRemoteStreaming". The name
used in our XML configuration for the requestDispatcher XML element is an
attribute named "enableRemoteStreaming" thus I think using that name makes
sense.
A backwards compatibility note will need to be added in the ref guide.
Suggested CHANGES.txt:
* SOLR-16776: Improve security: The enableRemoteStreaming setting is
transitioned from solrconfig.xml to a node level via a system property --
"solr.enableRemoteStreaming". Attempts to change the solrconfig level in any
way no longer does anything and may be removed in a future version.
> Disable remote streaming by default using sysprop
> -------------------------------------------------
>
> Key: SOLR-16776
> URL: https://issues.apache.org/jira/browse/SOLR-16776
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Assignee: Ishan Chattopadhyaya
> Priority: Blocker
> Fix For: 9.2.1
>
> Attachments: SOLR-16776.patch
>
>
> Remote streaming is a vulnerability in Solr that allows a user to make Solr
> talk to arbitrary HTTP servers. It is disabled by default, but easily enabled
> using config API. This issue is to disable it more properly, at a node level,
> and add an additional system property per node to disable it by default. To
> continue using this feature, pass {{-Denable.remote.streams=true}} to the
> startup, and then enable it on a per collection/configset basis as needed.
>
> As per Skay's report
> [https://twitter.com/Skay_00/status/1646870062601756672|https://twitter.com/Skay_00/status/1646870062601756672),]
> remote code execution is possible in unsecured Solr clusters where
> authentication hasn't been enabled. This ticket is to mitigate one aspect of
> that, i.e. remote streaming. While our recommendation to all users remains
> the same, i.e. to secure Solr installations with authentication and
> authorization, I thank Skay for his detailed report.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
