1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recommended security settings now that 'disable_dynamic' is deprecated?

Discussion in 'Enhanced Search Support' started by jeffwidman, Sep 1, 2015.

  1. jeffwidman

    jeffwidman Active Member

    Several threads about the ElasticSearch addon suggest setting:
    script.disable_dynamic: true
    However, that was deprecated in ElasticSearch 1.6. What are the new recommended settings?

    I looked through the docs, but I'm not sure what they mean when they refer to 'languages that are sandboxed'. cc @Xon @eva2000 @Slavik

    It looks like dynamic scripting is still disabled by default, but for these kinds of things I like to explicitly set it just in case the defaults ever change down the road.

    Also, with this setting being deprecated, do I still need to copy the /path/to/Xenforo/library/XenES/_scripts/*.groovy files over to /etc/elasticsearch/scripts/ ?
    Last edited: Sep 1, 2015
  2. Mike

    Mike XenForo Developer Staff Member

    The deprecation is of the particular option. It is being replaced with a few options to allow the same limits and more. What was dynamic scripting appears to be script.inline now.

    Higher up that page they list the available languages and whether they are sandboxed.

    Yes, especially if you are disabling script.inline (but allowing script.file). Note that our script implementations aren't in sandboxed languages.
    eva2000 and jeffwidman like this.

Share This Page