Here is a late response, apache.org was rejecting our e-mails... Allowing leading wildcards opens up a denial of service attack. It becomes trivial to overload the search engine and take it out of service, just hammer it with leading wildcard queries. Please leave the default as disabled. If we add a config option, there should be a security warning with it.
wunder On 4/19/07 8:04 AM, "Michael Kimsal" <[EMAIL PROTECTED]> wrote: > It still seems like it's only something that would be invoked by a user's > query. > > If I queried for *foobar and leading wildcards were not on in the server, > I'd get back nothing, which isn't really correct. I'd think the application > should > tell the user that that syntax isn't supported. > > Perhaps I'm simplifying it a bit. It would certainly help out our comfort > level > to have it either be on or configurable by default, rather than having to > maintain a > 'patched' version (yes, the patch is only one line, but it's the principle > of the thing). > I suspect this would be the same for others. > > > > On 4/19/07, Erik Hatcher <[EMAIL PROTECTED]> wrote: >> >> >> On Apr 19, 2007, at 10:39 AM, Yonik Seeley wrote: >>> On 4/19/07, Erik Hatcher <[EMAIL PROTECTED]> wrote: >>>>> parser.setAllowLeadingWildcards(true); >>>> >>>> I have also run into this issue and have intended to fix up Solr to >>>> allow configuring that switch on QueryParser. >>> >>> Any reason that parser.setAllowLeadingWildcards(true) shouldn't be >>> the default? >> >> That's fine by me. But... >> >>> Does it really need to be configurable? >> >> It all depends on how bad of a hit it'd take on Solr. What's the >> breaking point where the performance of full-term scanning (and >> subsequently faceting, of course) kills over or dies? FuzzyQuery's >> die on my 3.7M index and not-super-beefy hardware and system setup. >> >> Erik >> >> >
