You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Shawn Heisey (JIRA)" <ji...@apache.org> on 2017/10/16 19:44:00 UTC
[jira] [Commented] (SOLR-11495) Reduce the list of which query
parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16206467#comment-16206467 ]
Shawn Heisey commented on SOLR-11495:
-------------------------------------
This is how I think we should initially define the default list:
{code}
map.put(LuceneQParserPlugin.NAME, LuceneQParserPlugin.class);
map.put(FunctionQParserPlugin.NAME, FunctionQParserPlugin.class);
map.put(DisMaxQParserPlugin.NAME, DisMaxQParserPlugin.class);
map.put(ExtendedDismaxQParserPlugin.NAME, ExtendedDismaxQParserPlugin.class);
{code}
This list corresponds to these parser names: lucene, func, dismax, edismax
I almost didn't include the function query parser in that list. It is one of the more complex parsers we have, and therefore might be potentially vulnerable to exploit ... but I think it's probably so commonly used that it would break a lot of installs to remove it.
For a lot of the remaining parsers, there are strong arguments for inclusion in the default list, but anytime a parser is considered for inclusion, we need to weigh how widely used that parser is against the possible risks of increasing the attack surface. Is the terms query parser likely to be exploitable? That would take a code review to determine.
> Reduce the list of which query parsers are loaded by default
> ------------------------------------------------------------
>
> Key: SOLR-11495
> URL: https://issues.apache.org/jira/browse/SOLR-11495
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: query parsers
> Affects Versions: 7.0
> Reporter: Shawn Heisey
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org