@Jan Hoydahl @Andy Lester @Gus Heck Thank you very much! :)
-----Ursprüngliche Nachricht----- Von: Gus Heck <gus.h...@gmail.com> Gesendet: Donnerstag, 3. Februar 2022 21:14 An: users@solr.apache.org Betreff: Re: SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods The original question was cross posted to dev list (this list actually is the better list for this question btw). I saw that one first and replied there with a lot of detail on how this came to change. Here's what I wrote there: Before proceeding you should review https://issues.apache.org/jira/browse/SOLR-15844 and also https://issues.apache.org/jira/browse/SOLR-13971 , https://issues.apache.org/jira/browse/SOLR-14025 and their associated CVE's. If after reading those you feel you need to continue to enable such a dangerous feature (not recommended, but it's your system), you may need to select an earlier version of Solr (prior to 14025 being fixed I think) or patch a later version of Solr to not use SecureUberspector, or configure it differently (see https://github.com/apache/lucene-solr/commit/128360856d50d7b39473644e6c1c21ba11766195#diff-1e87c2460a42a273fc3b5a63c26f6fbe3f580f2001876d6792063cba6b3a47a0R379). In any case you should also be aware that in future versions velocity will not be available by default and you will need to install a Solritas package for that type of functionality. (see https://issues.apache.org/jira/browse/SOLR-14792). If this is not going to be sufficient, you may wish to begin planning some other path forward, or contribute enhancements to Solritas yourself. -Gus On Thu, Feb 3, 2022 at 1:28 PM Andy Lester <a...@petdance.com> wrote: > > > > On Feb 3, 2022, at 3:03 AM, Jan Høydahl <jan....@cominvent.com> wrote: > > > > This is/was a security hole and a big anti-pattern. > > Is this still possible in 8.x? If so, I think it would be worth > putting in the docs that it can be a security problem. I can probably do > that. > > Andy -- http://www.needhamsoftware.com (work) http://www.the111shift.com (play)
