You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Robert Muir (Jira)" <ji...@apache.org> on 2019/12/05 06:26:00 UTC
[jira] [Commented] (SOLR-14018) sandbox velocity into oblivion
[ https://issues.apache.org/jira/browse/SOLR-14018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988509#comment-16988509 ]
Robert Muir commented on SOLR-14018:
------------------------------------
this one is likely dependent on a more comprehensive security setup than just the simple flat model we use for tests.
> sandbox velocity into oblivion
> ------------------------------
>
> Key: SOLR-14018
> URL: https://issues.apache.org/jira/browse/SOLR-14018
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Priority: Major
>
> followup to SOLR-19993.
> The thing has too many read permissions now. it is due to my hacky first stab at the thing. instead of wrapping the whole block of code in a sandbox, we should go a little deeper, there are two things:
> * Script "engine" (with all the shit needed to compile and run the script)
> * Script compiled code (stuff from the luser that we definitely do not trust)
> If we can split the permissions into these two, then the second one has no permissions and can't mess around as much.
> It just takes wrestling, tests, and time.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org