[SOLR-10748] Disable stream.body by default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 7.1, 8.0
Component/s: search
Labels:
- security
- streaming

Description

Today you can issue a HTTP request parameter stream.body which will by Solr be interpreted as body content on the request, i.e. act as a POST request. This is useful for development and testing but can pose a security risk in production since users/clients with permission to to GET on various endpoints also can post by using stream.body. The classic example is &stream.body=<delete><query>:</query></delete>. And this feature cannot be turned off by configuration, it is not controlled by enableRemoteStreaming.

This jira will add a configuration option requestDispatcher.requestParsers.enableStreamBody to the <requestParsers> tag in solrconfig as well as to the Config API. I propose to set the default value to *false*.

Apart from security concerns, this also aligns well with our v2 API effort which tries to stick to the principle of least surprice in that GET requests shall not be able to modify state. Developers should known how to do a POST today

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-10748.patch
03/Jul/17 12:28
30 kB
Jan Høydahl
SOLR-10748.patch
06/Jul/17 12:51
35 kB
Jan Høydahl

Issue Links

relates to

SOLR-9623 Disable remote streaming by default

Closed

SOLR-14853 Make enableRemoteStreaming option global; not configSet

Closed

Activity

People

Assignee:: Jan Høydahl

Reporter:: Jan Høydahl

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/May/17 19:26

Updated:: 21/May/21 03:09

Resolved:: 06/Jul/17 13:05