You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Robert Muir (Jira)" <ji...@apache.org> on 2019/12/12 23:30:00 UTC
[jira] [Reopened] (SOLR-14071) Untrusted configsets shouldn't be
allowed to use directive
[ https://issues.apache.org/jira/browse/SOLR-14071?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Muir reopened SOLR-14071:
--------------------------------
Assignee: Ishan Chattopadhyaya
this says it is a resolved 8.4 blocker, but it was committed after Adrien branched for release: wasn't backported to {{branch_8_4}}.
> Untrusted configsets shouldn't be allowed to use <lib> directive
> ----------------------------------------------------------------
>
> Key: SOLR-14071
> URL: https://issues.apache.org/jira/browse/SOLR-14071
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Assignee: Ishan Chattopadhyaya
> Priority: Blocker
> Fix For: 8.4
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> Allowing untrusted configsets, i.e. those have been uploaded using the configset upload API without authx enabled, to use the <lib> directive can open up possibilities for malicious users to include insecure contribs libraries.
> Whoever wants to use their own libraries can add them to the classpath of Solr (i.e. place them wherever solr-core-*jar resides). For them, the <lib> directive won't be necessary anyway.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org