You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "David Smiley (Updated) (JIRA)" <ji...@apache.org> on 2012/03/11 06:39:02 UTC

[jira] [Updated] (SOLR-3161) Use of 'qt' should be restricted to searching and should not start with a '/'

     [ https://issues.apache.org/jira/browse/SOLR-3161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Smiley updated SOLR-3161:
-------------------------------

    Attachment: SOLR-3161-disable-qt-by-default.patch

Attached is a patch for 3x called "SOLR-3161-disable-qt-by-default".  The tests pass.  Aside from the changes I said I did, there were a couple other changes you will notice in the patch:
* I made handleSelect default to false, as Erik did in his patch. I did this because if someone were to unwittingly rename /select to /whatever, they would be very surprised to discover that /select still works.  And besides, it's basically legacy behavior in my view.  I added a comment on how to get 'qt' to work in solrconfig.
* In the admin UI query form, I renamed "Query Type" to "Request Handler" with a default choice of "/select" and I moved it to the top where it belongs. I wrote some JavaScript to make it switch the form's action to this value when it starts with a '/'.  I tested in FF & Safari and I queried several times using the back-button in-between to ensure there were no lingering state issue with modifying the form.
* I couldn't resist; in the admin UI query form, I renamed the label for 'q' from "Solr/Lucene Statement" to be "Query String" which is the same label seen on the front page.

It should be noted that my patch proposal and Erik's before it are about improving the default configuration such that qt doesn't even work without taking steps to enable it, vs making 'qt' safer which is what the title of this issue is.

I'll commit this ~ Tuesday 11am (GMT-5) unless someone objects.
                
> Use of 'qt' should be restricted to searching and should not start with a '/'
> -----------------------------------------------------------------------------
>
>                 Key: SOLR-3161
>                 URL: https://issues.apache.org/jira/browse/SOLR-3161
>             Project: Solr
>          Issue Type: Improvement
>          Components: search, web gui
>            Reporter: David Smiley
>            Assignee: David Smiley
>             Fix For: 3.6, 4.0
>
>         Attachments: SOLR-3161-disable-qt-by-default.patch, SOLR-3161-dispatching-request-handler.patch, SOLR-3161-dispatching-request-handler.patch
>
>
> I haven't yet looked at the code involved for suggestions here; I'm speaking based on how I think things should work and not work, based on intuitiveness and security. In general I feel it is best practice to use '/' leading request handler names and not use "qt", but I don't hate it enough when used in limited (search-only) circumstances to propose its demise. But if someone proposes its deprecation that then I am +1 for that.
> Here is my proposal:
> Solr should error if the parameter "qt" is supplied with a leading '/'. (trunk only)
> Solr should only honor "qt" if the target request handler extends solr.SearchHandler.
> The new admin UI should only use 'qt' when it has to. For the query screen, it could present a little pop-up menu of handlers to choose from, including "/select?qt=mycustom" for handlers that aren't named with a leading '/'. This choice should be positioned at the top.
> And before I forget, me or someone should investigate if there are any similar security problems with the shards.qt parameter. Perhaps shards.qt can abide by the same rules outlined above.
> Does anyone foresee any problems with this proposal?
> On a related subject, I think the notion of a default request handler is bad - the default="true" thing. Honestly I'm not sure what it does, since I noticed Solr trunk redirects '/solr/' to the new admin UI at '/solr/#/'. Assuming it doesn't do anything useful anymore, I think it would be clearer to use <requestHandler name="/select" class="solr.SearchHandler"> instead of what's there now. The delta is to put the leading '/' on this request handler name, and remove the "default" attribute.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org