You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/12/01 18:09:11 UTC
[jira] [Commented] (SOLR-8099) Remove sleep() function /
ValueSourceParser
[ https://issues.apache.org/jira/browse/SOLR-8099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15034085#comment-15034085 ]
Ishan Chattopadhyaya commented on SOLR-8099:
--------------------------------------------
Both these were added by [~yseeley@gmail.com] in SOLR-3685 (https://svn.apache.org/viewvc?view=revision&revision=1370297). Is it supposed to be useful for tests which are under consideration? Or is it dead code which is safe to remove?
> Remove sleep() function / ValueSourceParser
> -------------------------------------------
>
> Key: SOLR-8099
> URL: https://issues.apache.org/jira/browse/SOLR-8099
> Project: Solr
> Issue Type: Improvement
> Reporter: Ishan Chattopadhyaya
> Labels: security
> Fix For: 5.4
>
> Attachments: SOLR-8099.patch
>
>
> As per Doug Turnbull, the sleep() represents a security risk.
> {noformat}
> I noticed a while back that "sleep" is a function query. Which I
> believe means I can make the current query thread sleep for as long as I
> like.
> I'm guessing an attacker could use this to starve Solr of threads, running
> a denial of service attack by running multiple queries with sleeps in them.
> Is this a concern? I realize there may be test purposes to sleep a function
> query, but I'm trying to think if there's really practical purpose to
> having sleep here.
> Best,
> -Doug
> {noformat}
> This issue is to remove it, since it is neither documented publicly, nor used internally very much, apart from one test suite.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org