[
https://issues.apache.org/jira/browse/SOLR-13983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16999242#comment-16999242
]
ASF subversion and git services commented on SOLR-13983:
--------------------------------------------------------
Commit 8c14015e52af2568aaefbf6fb4c6e8ad01a6a8fe in lucene-solr's branch
refs/heads/branch_8x from Robert Muir
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=8c14015 ]
SOLR-13983: remove or replace process execution in SystemInfoHandler
> remove or replace process execution in SystemInfoHandler
> --------------------------------------------------------
>
> Key: SOLR-13983
> URL: https://issues.apache.org/jira/browse/SOLR-13983
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Priority: Major
> Attachments: SOLR-13983.patch
>
>
> SystemInfoHandler is the only place in solr code executing processes.
> Since solr is a server/long running process listening to HTTP, ideally
> process execution could be disabled (e.g. with security manager). But first
> this code needs to be removed or replaced, so that there is no legitimate use
> of it:
> {noformat}
> try {
> if (!Constants.WINDOWS) {
> info.add( "uname", execute( "uname -a" ) );
> info.add( "uptime", execute( "uptime" ) );
> }
> } catch( Exception ex ) {
> log.warn("Unable to execute command line tools to get operating system
> properties.", ex);
> }
> return info;
> {noformat}
> It already looks like its getting data from OS MXbean here, so maybe this
> logic is simply outdated or not needed. It seems to be "best-effort" anyway.
> Alternatively similar stuff could be fetched by reading from e.g. /proc file
> system location if needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
