[
https://issues.apache.org/jira/browse/SOLR-16808?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-16808:
----------------------------------
Security: Public (was: Private (Security Issue))
> Solr publishes environment variables via the Metrics API
> --------------------------------------------------------
>
> Key: SOLR-16808
> URL: https://issues.apache.org/jira/browse/SOLR-16808
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: metrics
> Affects Versions: 9.0
> Reporter: Houston Putman
> Assignee: Houston Putman
> Priority: Blocker
> Fix For: 9.3
>
> Attachments: SOLR-16808.patch
>
>
> Much like sysPros, Solr apparently has published envVars through the metrics
> API since 9.0.
> As I mentioned in
> [SOLR-15019|https://issues.apache.org/jira/browse/SOLR-15019?focusedCommentId=17286680&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17286680],
> this is a big security issue and it should be removed. Before the release of
> 9.0, the use of this within the PlacementPlugins was removed, but the real
> issue of publishing via the metrics API was never addressed. (Weird, because
> I remember testing this out...)
> This is a security risk, because we have very little way of controlling what
> Environment Variables users use on their machines, and its too big of a
> burden to have them keep a list of these in their Solr.xml.
> We should remove this "metric" and create a bug-fix release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
