[
https://issues.apache.org/jira/browse/SOLR-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya updated SOLR-16781:
----------------------------------------
Description:
<lib> directives in solrconfig.xml used to be recommended way for including
additional jar files to the classpath for a particular collection or
collections.
For context: This feature required complex handling of "trusted" vs
"non-trusted" configsets in configset upload API to keep Solr secure (i.e. to
stop RCE attacks for non-authentication enabled deployments). This security
feature also broke down recently due to a bug in Schema designer (SOLR-16777).
Supported alternatives exist that are safer:
* user can add the jar files to Solr's classpath
* use packages to use custom jars per collection
In the light of these, there's no need to continue to support the <lib>
directive going forward.
I propose to remove the <lib> directives handling and functionality through
this issue.
was:
<lib> directives in solrconfig.xml used to be recommended way for including
additional jar files to the classpath for a particular collection or
collections.
For context: This feature required complex handling of "trusted" vs
"non-trusted" configsets in configset upload API to keep Solr secure (i.e. to
stop RCE attacks for non-authentication enabled deployments). This security
feature also broke down recently due to a bug in Schema designer (SOLR-16777).
Supported alternatives exist that are safer:
* user can add the jar files to Solr's classpath
* use packages to use custom jars per collection
In the light of these, there's no need to continue to support the <lib>
directive going forward.
I propose to remove <lib> directives through this issue.
> Remove <lib> directives from Solr
> ---------------------------------
>
> Key: SOLR-16781
> URL: https://issues.apache.org/jira/browse/SOLR-16781
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Priority: Major
>
> <lib> directives in solrconfig.xml used to be recommended way for including
> additional jar files to the classpath for a particular collection or
> collections.
> For context: This feature required complex handling of "trusted" vs
> "non-trusted" configsets in configset upload API to keep Solr secure (i.e. to
> stop RCE attacks for non-authentication enabled deployments). This security
> feature also broke down recently due to a bug in Schema designer (SOLR-16777).
> Supported alternatives exist that are safer:
> * user can add the jar files to Solr's classpath
> * use packages to use custom jars per collection
> In the light of these, there's no need to continue to support the <lib>
> directive going forward.
> I propose to remove the <lib> directives handling and functionality through
> this issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
