[jira] [Resolved] (SOLR-10648) Do not expose STOP.PORT and STOP.KEY in sysProps

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Resolved] (SOLR-10648) Do not expose STOP.PORT and STOP.KEY in sysProps

JIRA jira@apache.org

     [ https://issues.apache.org/jira/browse/SOLR-10648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Høydahl resolved SOLR-10648.
--------------------------------
    Resolution: Not A Problem

Closing this, as the STOP.KEY leak is not a big issue.

The idea of unifying sys prop redaction to one location is carried over to SOLR-12976

> Do not expose STOP.PORT and STOP.KEY in sysProps
> ------------------------------------------------
>
>                 Key: SOLR-10648
>                 URL: https://issues.apache.org/jira/browse/SOLR-10648
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public)
>          Components: scripts and tools
>            Reporter: Jan Høydahl
>            Priority: Major
>              Labels: security
>
> Currently anyone with HTTP access to Solr can see the Admin UI and all the system properties. In there you find
> {noformat}
> -DSTOP.KEY=solrrocks
> -DSTOP.PORT=7983
> {noformat}
> This means that anyone with this info can shut down Solr by hitting that port with the key (if it is not firewalled).
> I think the simple solution is to add STOP.PORT and STOP.KEY from {{$SOLR_START_OPTS}} to the {{$SOLR_JETTY_CONFIG[@]}} variable. It will still be visible on the cmdline but not over HTTP.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]