On Tue, Nov 13, 2012 at 2:27 AM, <johnmu...@aol.com> wrote: > I'm surprised that this has not been logged as adefect. The fact that this > is ON bydefault, means someone can bring down a server; this is bad enough to > categorizethis as a security issue.
It's all relative. There are tons of queries that can take a long time and disabling them all by default would just be frustrating for users (range queries, prefix queries, regex queries, etc). If a single wildcard query like *a is bad, then non leading wildcard a*a a*a a*a a*a a*a a*a a*a a*a will probably be just as bad (or [a TO z], or [* TO *], etc. It's no real protection from a security perspective. Individual control of different query types in edismax would probably be nice though (and perhaps a minimum wildcard prefix length rather than just an on/off switch). -Yonik http://lucidworks.com
