[
https://issues.apache.org/jira/browse/SOLR-8099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17095576#comment-17095576
]
Christine Poerschke commented on SOLR-8099:
-------------------------------------------
bq. ... Somebody wanted to use the sleep function for some testing they were
doing. It took some headscratching and digging to determine that the function
requires TWO parameters, and help from Hoss to determine exactly what that
second parameter does. ...
Thanks for the hint w.r.t. the function taking two parameters! It helped with
the testing I did for SOLR-14442 and from observation and quick code inspection
--
https://github.com/apache/lucene-solr/blob/releases/lucene-solr/8.5.1/solr/core/src/java/org/apache/solr/search/ValueSourceParser.java#L160-L172
--- it appears that the first parameter is the sleep interval in milliseconds
and the second parameter is the function's return value.
Illustration:
{code}
$ curl
'http://localhost:8983/solr/techproducts/select?fl=id,popularity,score&defType=func&q=add(popularity,sleep(1234,42))&rows=1'
{
"responseHeader":{
"status":0,
"QTime":1236,
"params":{
"q":"add(popularity,sleep(1234,42))",
"defType":"func",
"fl":"id,popularity,score",
"rows":"1"}},
"response":{"numFound":32,"start":0,"maxScore":52.0,"docs":[
{
"id":"MA147LL/A",
"popularity":10,
"score":52.0}]
}}
{code}
> Remove sleep() function / ValueSourceParser
> -------------------------------------------
>
> Key: SOLR-8099
> URL: https://issues.apache.org/jira/browse/SOLR-8099
> Project: Solr
> Issue Type: Improvement
> Reporter: Ishan Chattopadhyaya
> Priority: Major
> Labels: security
> Fix For: 5.5
>
> Attachments: SOLR-8099.patch, SOLR-8099.patch, SOLR-8099.patch
>
>
> As per Doug Turnbull, the sleep() represents a security risk.
> {noformat}
> I noticed a while back that "sleep" is a function query. Which I
> believe means I can make the current query thread sleep for as long as I
> like.
> I'm guessing an attacker could use this to starve Solr of threads, running
> a denial of service attack by running multiple queries with sleeps in them.
> Is this a concern? I realize there may be test purposes to sleep a function
> query, but I'm trying to think if there's really practical purpose to
> having sleep here.
> Best,
> -Doug
> {noformat}
> This issue is to remove it, since it is neither documented publicly, nor used
> internally very much, apart from one test suite.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
