You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by jb...@apache.org on 2015/11/09 22:41:26 UTC
svn commit: r1713547 - in /lucene/dev/branches/branch_5x: ./ solr/
solr/CHANGES.txt
solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml
Author: jbernste
Date: Mon Nov 9 21:41:26 2015
New Revision: 1713547
URL: http://svn.apache.org/viewvc?rev=1713547&view=rev
Log:
SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons
Modified:
lucene/dev/branches/branch_5x/ (props changed)
lucene/dev/branches/branch_5x/solr/ (props changed)
lucene/dev/branches/branch_5x/solr/CHANGES.txt (contents, props changed)
lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml
Modified: lucene/dev/branches/branch_5x/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/CHANGES.txt?rev=1713547&r1=1713546&r2=1713547&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/CHANGES.txt (original)
+++ lucene/dev/branches/branch_5x/solr/CHANGES.txt Mon Nov 9 21:41:26 2015
@@ -236,6 +236,9 @@ Bug Fixes
* SOLR-8254: HttpSolrCore.getCoreByCollection() can throw NPE (Alan Woodward,
Mark Miller)
+* SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons
+ (Joel Bernstein)
+
Optimizations
----------------------
Modified: lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml?rev=1713547&r1=1713546&r2=1713547&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml (original)
+++ lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml Mon Nov 9 21:41:26 2015
@@ -905,8 +905,18 @@
<!--
- Distributed Stream processing.
- -->
+
+ Uncomment for distributed Stream processing.
+
+ SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
+ Java Objects to Worker nodes.
+
+ Solr also currently has apache commons-collections in it's classpath.
+
+ This makes Solr vulnerable to this security exploit:
+
+ https://issues.apache.org/jira/browse/COLLECTIONS-580.
+
<requestHandler name="/stream" class="solr.StreamHandler">
<lst name="invariants">
@@ -915,6 +925,8 @@
</lst>
</requestHandler>
+ -->
+
<!-- Field Analysis Request Handler
Modified: lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml?rev=1713547&r1=1713546&r2=1713547&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml (original)
+++ lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml Mon Nov 9 21:41:26 2015
@@ -899,8 +899,18 @@
<!--
- Distributed Stream processing.
- -->
+
+ Uncomment for distributed Stream processing.
+
+ SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
+ Java Objects to Worker nodes.
+
+ Solr also currently has apache commons-collections in it's classpath.
+
+ This makes Solr vulnerable to this security exploit:
+
+ https://issues.apache.org/jira/browse/COLLECTIONS-580.
+
<requestHandler name="/stream" class="solr.StreamHandler">
<lst name="invariants">
@@ -909,9 +919,7 @@
</lst>
</requestHandler>
-
-
-
+ -->
<!-- A Robust Example