You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by solr-user <so...@hotmail.com> on 2012/11/21 02:23:17 UTC

is there a way to prevent abusing rows parameter

silly question

is there any configuration value I can set to prevent someone from entering
a bad value for the rows parameter?

ie to prevent something like "&rows=100000000"  from crashing my servers?

the server I am looking at is a solr v3.6



--
View this message in context: http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: is there a way to prevent abusing rows parameter

Posted by Amit Nithian <an...@gmail.com>.

If you're going to validate the rows parameter, may as well validate the
start parameter too.. I've run into problems with start and rows with
ridiculously high values crash our servers.

On Thu, Nov 22, 2012 at 9:58 AM, solr-user <so...@hotmail.com> wrote:

> Thanks guys.  This is a problem with the front end not validating requests.
> I was hoping there might be a simple config value I could enter/change,
> rather than going the long process of migrating a proper fix all the way up
> to our production servers.  Looks like not, but thx.
>
>
>
> --
> View this message in context:
> http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467p4021892.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>

Re: is there a way to prevent abusing rows parameter

Posted by solr-user <so...@hotmail.com>.

Thanks guys.  This is a problem with the front end not validating requests. 
I was hoping there might be a simple config value I could enter/change,
rather than going the long process of migrating a proper fix all the way up
to our production servers.  Looks like not, but thx.



--
View this message in context: http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467p4021892.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: is there a way to prevent abusing rows parameter

Posted by Alexandre Rafalovitch <ar...@gmail.com>.

Does that 'someone' has direct access to Solr endpoint? Is that a right
thing to do in a first place?

But assuming they do (e.g. intranet), you could build on Jack's suggestion
and create a couple of query-handler end-points that are only different in
invariant raw count value. So, your default search goes to search10, your
25 results page goes to search25, etc.

Regards,
   Alex.

Personal blog: http://blog.outerthoughts.com/
LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
- Time is the quality of nature that keeps events from happening all at
once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)

On Tue, Nov 20, 2012 at 8:23 PM, solr-user <so...@hotmail.com> wrote:

> silly question
>
> is there any configuration value I can set to prevent someone from entering
> a bad value for the rows parameter?
>
> ie to prevent something like "&rows=100000000"  from crashing my servers?
>
> the server I am looking at is a solr v3.6
>
>
>
> --
> View this message in context:
> http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>

Re: is there a way to prevent abusing rows parameter

Posted by Jack Krupansky <ja...@basetechnology.com>.

You could set an "invariant" parameter value, but that would mean they can't 
give an override.

It might be a useful addition to Solr to have a maximum value (specified as 
an invariant).

You could also simply add your own Solr "search component" that checked and 
maxed the &rows.

-- Jack Krupansky

-----Original Message----- 
From: solr-user
Sent: Tuesday, November 20, 2012 8:23 PM
To: solr-user@lucene.apache.org
Subject: is there a way to prevent abusing rows parameter

silly question

is there any configuration value I can set to prevent someone from entering
a bad value for the rows parameter?

ie to prevent something like "&rows=100000000"  from crashing my servers?

the server I am looking at is a solr v3.6



--
View this message in context: 
http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467.html
Sent from the Solr - User mailing list archive at Nabble.com.