[jira] [Commented] (SOLR-16781) Remove directives from Solr

Wed, 04 Dec 2024 07:21:56 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903022#comment-17903022
 ] 

ASF subversion and git services commented on SOLR-16781:
--------------------------------------------------------

Commit c1062d9406ca17b8500f346f0acde8370a70b96d in solr's branch 
refs/heads/main from Jason Gerlowski
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=c1062d9406c ]

SOLR-16781: Remove solrconfig.xml <lib> directives (#2875)

Solr offers a number of ways for users to add JARs and resources to
their classpath, including:

* solr.xml <sharedLib> entries
* SOLR_MODULES env-var/support
* core and install-level "lib/" directories
* the package manager
* direct classpath modification

In addition to being largely redundant with the methods above,
solrconfig.xml's <lib> directive has been a pain point and source of
security concerns in the past.  This commit removes it from Solr 10.

> Remove <lib> directives from Solr
> ---------------------------------
>
>                 Key: SOLR-16781
>                 URL: https://issues.apache.org/jira/browse/SOLR-16781
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Ishan Chattopadhyaya
>            Priority: Blocker
>              Labels: pull-request-available
>             Fix For: main (10.0)
>
>         Attachments: SOLR-16781-1.patch, SOLR-16781-2.patch, SOLR-16781.patch
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> <lib> directives in solrconfig.xml used to be recommended way for including 
> additional jar files to the classpath for a particular collection or 
> collections.
> For context: This feature required complex handling of "trusted" vs 
> "non-trusted" configsets in configset upload API to keep Solr secure (i.e. to 
> stop RCE attacks for non-authentication enabled deployments). This security 
> feature also broke down recently due to a bug in Schema designer (SOLR-16777).
> Supported alternatives exist that are safer:
>  * user can add the jar files to Solr's classpath
>  * use packages to use custom jars per collection
> In the light of these, there's no need to continue to support the <lib> 
> directive going forward.
> I propose to remove the <lib> directives handling and functionality through 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to