You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2017/05/25 19:27:04 UTC

[jira] [Created] (SOLR-10748) Disable stream.body by default

Jan Høydahl created SOLR-10748:
----------------------------------

             Summary: Disable stream.body by default
                 Key: SOLR-10748
                 URL: https://issues.apache.org/jira/browse/SOLR-10748
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
          Components: search
            Reporter: Jan Høydahl
             Fix For: master (7.0)


Spinoff from SOLR-9623

Today you can issue a HTTP request parameter {{stream.body}} which will by Solr be interpreted as body content on the request, i.e. act as a POST request. This is useful for development and testing but can pose a security risk in production since users/clients with permission to to GET on various endpoints also can post by {{using stream.body}}. The classic example is {{&stream.body=<delete><query>*:*</query></delete>}}. And this feature cannot be turned off by configuration, it is not controlled by {{enableRemoteStreaming}}.

This jira will add a configuration option {{requestDispatcher.requestParsers.enableStreamBody}} to the {{<requestParsers>}} tag in solrconfig as well as to the Config API. I propose to set the default value to **{{false}}**.

Apart from security concerns, this also aligns well with our v2 API effort which tries to stick to the principle of least surprice in that GET requests shall not be able to modify state. Developers should known how to do a POST today :)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org