[
https://issues.apache.org/jira/browse/SOLR-8099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya updated SOLR-8099:
---------------------------------------
Attachment: SOLR-8099.patch
I'm not really sure myself if this is a security issue. Was just wondering if
it served any purpose. And seems like it does.
Do you think we can stop loading it implicitly for everyone, and load it up
using solrconfig.xml for only those who want it?
Here's a patch that adds the two VSPs to solrconfig.xml, and the
QueryEqualityTest.testTestFunc() passes.
> Remove sleep() function / ValueSourceParser
> -------------------------------------------
>
> Key: SOLR-8099
> URL: https://issues.apache.org/jira/browse/SOLR-8099
> Project: Solr
> Issue Type: Improvement
> Reporter: Ishan Chattopadhyaya
> Labels: security
> Fix For: 5.4
>
> Attachments: SOLR-8099.patch, SOLR-8099.patch, SOLR-8099.patch
>
>
> As per Doug Turnbull, the sleep() represents a security risk.
> {noformat}
> I noticed a while back that "sleep" is a function query. Which I
> believe means I can make the current query thread sleep for as long as I
> like.
> I'm guessing an attacker could use this to starve Solr of threads, running
> a denial of service attack by running multiple queries with sleeps in them.
> Is this a concern? I realize there may be test purposes to sleep a function
> query, but I'm trying to think if there's really practical purpose to
> having sleep here.
> Best,
> -Doug
> {noformat}
> This issue is to remove it, since it is neither documented publicly, nor used
> internally very much, apart from one test suite.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
