You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Marcus Eagan (Jira)" <ji...@apache.org> on 2020/03/27 05:13:00 UTC

[jira] [Commented] (SOLR-14049) Disable Config APIs by default

    [ https://issues.apache.org/jira/browse/SOLR-14049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17068276#comment-17068276 ] 

Marcus Eagan commented on SOLR-14049:
-------------------------------------

I would like to see this change happen.

In an ideal state, not only should config APIs be disabled by default, they should only work if auth is enabled. Cannot rely on firewalls alone. The problem there is that then this change becomes an ease-of-use impediment that we do not want to introduce. Hmmm... Security vs Usability.



> Disable Config APIs by default
> ------------------------------
>
>                 Key: SOLR-14049
>                 URL: https://issues.apache.org/jira/browse/SOLR-14049
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>
> Spin off from SOLR-13978. This is not my proposal (I support this only conditionally), I'm just opening the JIRA.
> Proposal is to do this by 8.4. Reason is that Config APIs have been used in the past to invoke RCE vulnerabilities in some components of Solr.
> The discussion has happened in SOLR-13978. I am willing to do the work once we have agreement on this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org