Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16808

Solr publishes environment variables via the Metrics API

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 9.0
    • 9.3
    • metrics
    • None

    Description

      Much like sysPros, Solr apparently has published envVars through the metrics API since 9.0.

      As I mentioned in SOLR-15019, this is a big security issue and it should be removed. Before the release of 9.0, the use of this within the PlacementPlugins was removed, but the real issue of publishing via the metrics API was never addressed. (Weird, because I remember testing this out...)

      This is a security risk, because we have very little way of controlling what Environment Variables users use on their machines, and its too big of a burden to have them keep a list of these in their Solr.xml.

      We should remove this "metric" and create a bug-fix release.

      Attachments

        1. SOLR-16808.patch
          1 kB
          Houston Putman

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-15019 Replica placement API needs a way to fetch existing replica metrics

          • Major - Major loss of function.
          • Closed

          Activity

            People

              houston Houston Putman
              houston Houston Putman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: