[jira] [Commented] (SOLR-10943) SolrJ ClientUtils.escapeQueryChars should escape '$' to avoid Solr macro expansion

Fri, 23 Jun 2017 06:57:13 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-10943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16060934#comment-16060934
 ] 

Yonik Seeley commented on SOLR-10943:
-------------------------------------

And actually, looking at escapeQueryChars, it doesn't look like we really need 
to do anything here... it already escapes { and }

{code}
http://localhost:8983/solr/techproducts/select?q=foo$\{bar\}baz&debug=true

<lst name="params">
<str name="q">foo$\{bar\}baz</str>
<str name="debug">true</str>
</lst>
</lst>
<result name="response" numFound="0" start="0"/>
<lst name="debug">
<str name="rawquerystring">foo$\{bar\}baz</str>
<str name="querystring">foo$\{bar\}baz</str>
<str name="parsedquery">text:foo text:bar text:baz</str>
<str name="parsedquery_toString">text:foo text:bar text:baz</str>
<lst name="explain"/>
<str name="QParser">LuceneQParser</str>
{code}

> SolrJ ClientUtils.escapeQueryChars should escape '$' to avoid Solr macro 
> expansion
> ----------------------------------------------------------------------------------
>
>                 Key: SOLR-10943
>                 URL: https://issues.apache.org/jira/browse/SOLR-10943
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: SolrJ
>    Affects Versions: 5.1
>            Reporter: David Smiley
>
> Since Solr 5.1, parameters containing 
> {noformat}
>   foo${bar}baz
> {noformat} syntax will have parameter substitution performed, and will lead 
> to an error if the parameter fails to resolve.  ClientUtils.escapeQueryChars 
> should escape the dollar sign.  Heck, perhaps it should simply escape any 
> char that isn't a letter, digit, or whitespace?
> I think this would be good but it admittedly isn't a cure-all for 
> unanticipated macro expansions. For example if a client app sends 'q' to be 
> processed by edismax, then ClientUtils.escapeQueryChars shouldn't be used 
> (user may want quoting, for example; this shouldn't be escaped).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to