You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by jb...@apache.org on 2015/11/09 22:41:26 UTC

svn commit: r1713547 - in /lucene/dev/branches/branch_5x: ./ solr/ solr/CHANGES.txt solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml

Author: jbernste
Date: Mon Nov  9 21:41:26 2015
New Revision: 1713547

URL: http://svn.apache.org/viewvc?rev=1713547&view=rev
Log:
SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons

Modified:
    lucene/dev/branches/branch_5x/   (props changed)
    lucene/dev/branches/branch_5x/solr/   (props changed)
    lucene/dev/branches/branch_5x/solr/CHANGES.txt   (contents, props changed)
    lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
    lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml

Modified: lucene/dev/branches/branch_5x/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/CHANGES.txt?rev=1713547&r1=1713546&r2=1713547&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/CHANGES.txt (original)
+++ lucene/dev/branches/branch_5x/solr/CHANGES.txt Mon Nov  9 21:41:26 2015
@@ -236,6 +236,9 @@ Bug Fixes
 * SOLR-8254: HttpSolrCore.getCoreByCollection() can throw NPE (Alan Woodward,
   Mark Miller)
 
+* SOLR-8262: Comment out /stream handler from sample solrconfig.xml's for security reasons
+  (Joel Bernstein)
+
 Optimizations
 ----------------------
 

Modified: lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml?rev=1713547&r1=1713546&r2=1713547&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml (original)
+++ lucene/dev/branches/branch_5x/solr/server/solr/configsets/data_driven_schema_configs/conf/solrconfig.xml Mon Nov  9 21:41:26 2015
@@ -905,8 +905,18 @@
 
 
   <!--
-  Distributed Stream processing.
-  -->
+
+  Uncomment for distributed Stream processing.
+
+  SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
+                    Java Objects to Worker nodes.
+
+                    Solr also currently has apache commons-collections in it's classpath.
+
+                    This makes Solr vulnerable to this security exploit:
+
+                    https://issues.apache.org/jira/browse/COLLECTIONS-580.
+
 
   <requestHandler name="/stream" class="solr.StreamHandler">
     <lst name="invariants">
@@ -915,6 +925,8 @@
     </lst>
   </requestHandler>
 
+  -->
+
 
 
   <!-- Field Analysis Request Handler

Modified: lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml?rev=1713547&r1=1713546&r2=1713547&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml (original)
+++ lucene/dev/branches/branch_5x/solr/server/solr/configsets/sample_techproducts_configs/conf/solrconfig.xml Mon Nov  9 21:41:26 2015
@@ -899,8 +899,18 @@
 
 
   <!--
-  Distributed Stream processing.
-  -->
+
+  Uncomment for distributed Stream processing.
+
+  SECURTIY WARNING: This feature uses Java Serialization for RPC (Remote Procedure Calls) to send executable
+                    Java Objects to Worker nodes.
+
+                    Solr also currently has apache commons-collections in it's classpath.
+
+                    This makes Solr vulnerable to this security exploit:
+
+                    https://issues.apache.org/jira/browse/COLLECTIONS-580.
+
 
   <requestHandler name="/stream" class="solr.StreamHandler">
     <lst name="invariants">
@@ -909,9 +919,7 @@
     </lst>
   </requestHandler>
 
-
-
-
+  -->
 
 
   <!-- A Robust Example