The bigger problem is that a bot can send values directly to Solr. That is not safe. Everything sent to the front end or an API needs to be parsed, checked, then recreated to send to Solr. A bot should never be getting a sort parameter through to Solr.
wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On May 28, 2019, at 8:02 AM, Shawn Heisey <apa...@elyograg.org> wrote: > > On 5/28/2019 7:48 AM, Schwank, Désirée wrote: >> At the end of April we realized lots of errors, "SolrException: Can't >> determine a Sort Order (asc or desc) in sort spec 'score+desc,id+asc'" >> first appearance in logs about 2019-04-29, without apparent reason. > > The problem here is that you are sending your "sort" parameter with plus > signs instead of spaces. > > The plus sign is URL encoding for a space, but in this case, you are actually > sending plus signs, which means that what's actually on the URL is probably > "score%2Bdesc,id%2Basc" ... not "score+desc,id+asc". > > I know this is the case because I tried the following URL: > > http://localhost:8983/solr/foo/select?q=*:*&sort=drip+err > > And this is the message I got back: > > Can't determine a Sort Order (asc or desc) in sort spec 'drip err' > > As you can see, the + has been converted to a space. > > You will need to ensure that what your URL encoder is being fed has spaces, > not plus signs. > > Thanks, > Shawn
