You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Joel Bernstein (Jira)" <ji...@apache.org> on 2019/12/04 16:58:00 UTC
[jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on
javascript eval()
[ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987994#comment-16987994 ]
Joel Bernstein edited comment on SOLR-13987 at 12/4/19 4:57 PM:
----------------------------------------------------------------
I have a question and a possible approach.
Is the main issue here that people *want* to expose Solr to the open internet, or that people may expose Solr to the open internet by mistake? Or is there some other concern about internal attacks?
Here is a suggestion that I would be willing to take on to resolve this specific security issue. The suggestion is have Solr start in "headless" modeĀ by default. This would effectively turn off the admin. But a flag could be used to turn on the admin at startup.
How do people feel about this suggestion?
was (Author: joel.bernstein):
I have a question and a possible approach.
Is the main issue here that people *want* to expose Solr to the open internet, or that people may expose Solr to the open internet by mistake? Is is there some other concern about internal attacks?
Here is a suggestion that I would be willing to take on to resolve this specific security issue. The suggestion is have Solr start in "headless" modeĀ by default. This would effectively turn off the admin. But a flag could be used to turn on the admin at startup.
How do people feel about this suggestion?
> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
> Key: SOLR-13987
> URL: https://issues.apache.org/jira/browse/SOLR-13987
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval: means arbitrary javascript can still be executed.
> Let's fix the admin UI to not require eval so it can be disabled by the browser.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org