Mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ishan Chattopadhyaya (JIRA)" <>
Subject [jira] [Updated] (SOLR-8099) Remove sleep() function / ValueSourceParser
Date Tue, 01 Dec 2015 17:55:11 GMT


Ishan Chattopadhyaya updated SOLR-8099:
    Attachment: SOLR-8099.patch

I'm not really sure myself if this is a security issue. Was just wondering if it served any
purpose. And seems like it does.

Do you think we can stop loading it implicitly for everyone, and load it up using solrconfig.xml
for only those who want it?
Here's a patch that adds the two VSPs to solrconfig.xml, and the QueryEqualityTest.testTestFunc()

> Remove sleep() function / ValueSourceParser
> -------------------------------------------
>                 Key: SOLR-8099
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Ishan Chattopadhyaya
>              Labels: security
>             Fix For: 5.4
>         Attachments: SOLR-8099.patch, SOLR-8099.patch, SOLR-8099.patch
> As per Doug Turnbull, the sleep() represents a security risk.
> {noformat}
> I noticed a while back that "sleep" is a function query. Which I
> believe means I can make the current query thread sleep for as long as I
> like.
> I'm guessing an attacker could use this to starve Solr of threads, running
> a denial of service attack by running multiple queries with sleeps in them.
> Is this a concern? I realize there may be test purposes to sleep a function
> query, but I'm trying to think if there's really practical purpose to
> having sleep here.
> Best,
> -Doug
> {noformat}
> This issue is to remove it, since it is neither documented publicly, nor used internally
very much, apart from one test suite.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message