[ https://issues.apache.org/jira/browse/SOLR-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903027#comment-17903027 ]
ASF subversion and git services commented on SOLR-16781: -------------------------------------------------------- Commit f492e24881c5724a1b1baecfc9549e2cb0257525 in solr's branch refs/heads/branch_9x from Jason Gerlowski [ https://gitbox.apache.org/repos/asf?p=solr.git;h=f492e24881c ] SOLR-16781: Disable <lib/> by default on 9.x (#2894) `<lib/>` usage will now log a warning by default for future 9.x releases. Wary users can re-enabled the feature by specifying a sysprop: `solr.config.lib.enabled=true`. (This commit is for 9.x branches only, and not 'main') > Remove <lib> directives from Solr > --------------------------------- > > Key: SOLR-16781 > URL: https://issues.apache.org/jira/browse/SOLR-16781 > Project: Solr > Issue Type: Improvement > Reporter: Ishan Chattopadhyaya > Priority: Blocker > Labels: pull-request-available > Fix For: main (10.0) > > Attachments: SOLR-16781-1.patch, SOLR-16781-2.patch, SOLR-16781.patch > > Time Spent: 2h 50m > Remaining Estimate: 0h > > <lib> directives in solrconfig.xml used to be recommended way for including > additional jar files to the classpath for a particular collection or > collections. > For context: This feature required complex handling of "trusted" vs > "non-trusted" configsets in configset upload API to keep Solr secure (i.e. to > stop RCE attacks for non-authentication enabled deployments). This security > feature also broke down recently due to a bug in Schema designer (SOLR-16777). > Supported alternatives exist that are safer: > * user can add the jar files to Solr's classpath > * use packages to use custom jars per collection > In the light of these, there's no need to continue to support the <lib> > directive going forward. > I propose to remove the <lib> directives handling and functionality through > this issue. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org