You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/09/27 15:26:04 UTC

[jira] [Created] (SOLR-8099) Remove sleep() function / valuesourceparse

Ishan Chattopadhyaya created SOLR-8099:
------------------------------------------

             Summary: Remove sleep() function / valuesourceparse
                 Key: SOLR-8099
                 URL: https://issues.apache.org/jira/browse/SOLR-8099
             Project: Solr
          Issue Type: Improvement
            Reporter: Ishan Chattopadhyaya
             Fix For: 5.4


As per Doug Turnbull, the sleep() represents a security risk.

{noformat}
I noticed a while back that "sleep" is a function query. Which I
believe means I can make the current query thread sleep for as long as I
like.

I'm guessing an attacker could use this to starve Solr of threads, running
a denial of service attack by running multiple queries with sleeps in them.

Is this a concern? I realize there may be test purposes to sleep a function
query, but I'm trying to think if there's really practical purpose to
having sleep here.

Best,
-Doug
{noformat}

This issue is to remove it, since it is neither documented publicly, nor used internally very much, apart from one test suite.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org