[
https://issues.apache.org/jira/browse/SOLR-8099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15491557#comment-15491557
]
Shawn Heisey commented on SOLR-8099:
------------------------------------
This issue turned up in an IRC discussion. Somebody wanted to use the sleep
function for some testing they were doing. It took some headscratching and
digging to determine that the function requires TWO parameters, and help from
Hoss to determine exactly what that second parameter does.
IMHO, any function we have should be documented, even those that are only used
for testing. I understand the security risk mentioned up above, so perhaps a
general config option that enables risky behavior could be implemented, and the
availability of the sleep function could be one of the things controlled by
that option.
> Remove sleep() function / ValueSourceParser
> -------------------------------------------
>
> Key: SOLR-8099
> URL: https://issues.apache.org/jira/browse/SOLR-8099
> Project: Solr
> Issue Type: Improvement
> Reporter: Ishan Chattopadhyaya
> Labels: security
> Fix For: 5.5
>
> Attachments: SOLR-8099.patch, SOLR-8099.patch, SOLR-8099.patch
>
>
> As per Doug Turnbull, the sleep() represents a security risk.
> {noformat}
> I noticed a while back that "sleep" is a function query. Which I
> believe means I can make the current query thread sleep for as long as I
> like.
> I'm guessing an attacker could use this to starve Solr of threads, running
> a denial of service attack by running multiple queries with sleeps in them.
> Is this a concern? I realize there may be test purposes to sleep a function
> query, but I'm trying to think if there's really practical purpose to
> having sleep here.
> Best,
> -Doug
> {noformat}
> This issue is to remove it, since it is neither documented publicly, nor used
> internally very much, apart from one test suite.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
