[lucene-solr] 02/02: Ref Guide: move allowPaths note into Security section for 8.6

[ct...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

ctargett pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git

commit 1862171e06c356d383fe34fe57123992997e0597
Author: Cassandra Targett <ca...@lucidworks.com>
AuthorDate: Fri Jul 10 13:35:02 2020 -0500

    Ref Guide: move allowPaths note into Security section for 8.6
---
 solr/solr-ref-guide/src/solr-upgrade-notes.adoc | 33 +++++++++++--------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/solr/solr-ref-guide/src/solr-upgrade-notes.adoc b/solr/solr-ref-guide/src/solr-upgrade-notes.adoc
index c3c061c..f6ec8a4 100644
--- a/solr/solr-ref-guide/src/solr-upgrade-notes.adoc
+++ b/solr/solr-ref-guide/src/solr-upgrade-notes.adoc
@@ -73,6 +73,21 @@ For details of the default policy, see the section <<solrcloud-autoscaling-overv
 
 *Security*
 
+* Prior to Solr 8.6 Solr APIs which take a file system location, such as core creation, backup, restore, and others, did not validate the path and Solr would allow any absolute or relative path.
+Starting in 8.6 only paths that are relative to `SOLR_HOME`, `SOLR_DATA_HOME` and `coreRootDir` are allowed by default.
++
+If you need to create a core or store a backup outside the default paths, you will need to tell Solr which paths to allow.
+A new element in `solr.xml` called `allowPaths` takes a comma-separated list of allowed paths.
++
+When using the `solr.xml` file that ships with 8.6, you can configure the list of paths to allow through the system property `solr.allowPaths`.
+Please see `bin/solr.in.sh` or `bin\solr.in.cmd` for example usage.
+Using the value `*` will allow any path as in earlier versions.
++
+For more on this, see the section <<format-of-solr-xml.adoc#the-solr-element,Solr.xml Parameters>>.
++
+Windows SMB shares on the UNC format, such as `\\myhost\myshare\mypath` are now always disallowed.
+Please use drive letter mounts instead, i.e., `S:\mypath`.
+
 * A new authorization plugin `ExternalRoleRuleBasedAuthorizationPlugin` is now available.
 This plugin allows an authentication plugin (such as JWT) to supply a user's roles instead of maintaining a user-to-role mapping inside Solr.
 
@@ -93,24 +108,6 @@ For the Unified Highlighter: The setting `hl.fragsizeIsMinimum` now defaults to
 This will yield longer highlights on average compared to Solr 8.5 but relatively unchanged compared to previous releases.
 Furthermore, if your application highlights lots of text, you may want to experiment with lowering `hl.fragAlignRatio` to trade ideal fragment alignment for better performance.
 
-*Restricting File Paths*
-
-Several Solr APIs allow specifying a file system location.
-This includes core creation, backup, restore and others.
-Prior to Solr 8.6 these parameters were not validated, and Solr would allow any absolute or relative path.
-From 8.6 we by default allow only paths that are relative to `SOLR_HOME`, `SOLR_DATA_HOME` and `coreRootDir`.
-If you need to create a core or store a backup outside these pre-allowed paths, you now need to tell Solr about what paths to allow.
-
-Solr can be configured with a comma separated list of paths to allow in `solr.xml` using the new `allowPaths` element.
-When using the `solr.xml` file that ships with 8.6, you can configure the list of paths to allow through the system property `solr.allowPaths`.
-Please see `bin/solr.in.sh` or `bin\solr.in.cmd` for example usage.
-Using the value `*` will allow any path as in earlier versions.
-
-For more on this, see the section <<format-of-solr-xml.adoc#the-solr-element,Solr.xml Parameters>>.
-
-Windows SMB shares on the UNC format, such as `\\myhost\myshare\mypath` are now always disallowed.
-Please use drive letter mounts instead, i.e. `S:\mypath`.
-
 *Deprecations*
 
 A primary focus of the community is improving Solr's stability and supportability.