[jira] [Commented] (SOLR-8099) Remove sleep() function / ValueSourceParser

["Ishan Chattopadhyaya (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SOLR-8099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15034085#comment-15034085 ] 

Ishan Chattopadhyaya commented on SOLR-8099:
--------------------------------------------

Both these were added by [~yseeley@gmail.com] in SOLR-3685 (https://svn.apache.org/viewvc?view=revision&revision=1370297). Is it supposed to be useful for tests which are under consideration? Or is it dead code which is safe to remove?

> Remove sleep() function / ValueSourceParser
> -------------------------------------------
>
>                 Key: SOLR-8099
>                 URL: https://issues.apache.org/jira/browse/SOLR-8099
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Ishan Chattopadhyaya
>              Labels: security
>             Fix For: 5.4
>
>         Attachments: SOLR-8099.patch
>
>
> As per Doug Turnbull, the sleep() represents a security risk.
> {noformat}
> I noticed a while back that "sleep" is a function query. Which I
> believe means I can make the current query thread sleep for as long as I
> like.
> I'm guessing an attacker could use this to starve Solr of threads, running
> a denial of service attack by running multiple queries with sleeps in them.
> Is this a concern? I realize there may be test purposes to sleep a function
> query, but I'm trying to think if there's really practical purpose to
> having sleep here.
> Best,
> -Doug
> {noformat}
> This issue is to remove it, since it is neither documented publicly, nor used internally very much, apart from one test suite.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org