[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default

["Jan Høydahl (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16590784#comment-16590784 ] 

Jan Høydahl commented on SOLR-11495:
------------------------------------

I think we should keep them enabled as is, including xmlparser, and instead focus on fixing security issues along the way as well as document how to disable qparsers in “taking Solr to production” chapter.

> Reduce the list of which query parsers are loaded by default
> ------------------------------------------------------------
>
>                 Key: SOLR-11495
>                 URL: https://issues.apache.org/jira/browse/SOLR-11495
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: query parsers
>    Affects Versions: 7.0
>            Reporter: Shawn Heisey
>            Priority: Major
>
> Virtually all of the query parsers that Solr supports are enabled by default, in a map created in QParserPlugin.java.
> To reduce the possible attack surface of a default Solr installation, I believe that the list of default parsers should be limited to a small handful of the full list that's available. I will discuss specific ideas for that list in comments.
> I think the bar should be very high for admission to the default parser list. That list should only include those that are most commonly used by the community. Only the most common parsers will have had extensive review for security issues.
> _Edit_: moved description from "Docs Text" field where it was initially added mistakenly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org