You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2019/12/05 16:45:43 UTC

[GitHub] [lucene-solr] gus-asf commented on a change in pull request #976: SOLR-13749: Implement support for joining across collections with multiple shards

gus-asf commented on a change in pull request #976: SOLR-13749: Implement support for joining across collections with multiple shards
URL: https://github.com/apache/lucene-solr/pull/976#discussion_r354425569
 
 

 ##########
 File path: solr/core/src/java/org/apache/solr/search/join/XCJFQParser.java
 ##########
 @@ -46,17 +46,25 @@
           QueryParsing.TYPE, QueryParsing.V, ZK_HOST, SOLR_URL, COLLECTION, FROM, TO, ROUTED_BY_JOIN_KEY, TTL));
 
   private final String routerField;
+  private final Set<String> solrUrlWhitelist;
 
-  public XCJFQParser(String qstr, SolrParams localParams, SolrParams params, SolrQueryRequest req, String routerField) {
+  public XCJFQParser(String qstr, SolrParams localParams, SolrParams params, SolrQueryRequest req, String routerField, Set<String> solrUrlWhiteList) {
     super(qstr, localParams, params, req);
     this.routerField = routerField;
+    // If specified in the config, this will limit which solr url's the parser can connect to.
+    this.solrUrlWhitelist = solrUrlWhiteList;
   }
 
   @Override
   public Query parse() throws SyntaxError {
     String query = localParams.get(QueryParsing.V);
     String zkHost = localParams.get(ZK_HOST);
     String solrUrl = localParams.get(SOLR_URL);
+    // Test if this is a valid solr url.
 
 Review comment:
   This looks good, but I think we need to make it secure by default. Security flaws have recently become a big pain point in the community, having had 5 CVE's in 2019.... Do you mind if I add another if that fails with advice that a white list is required, when none is configured? For expedience I can make this change and we can punt an "insecure, talk to anyone, mode" to a later ticket if you like.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org