Return-Path: X-Original-To: apmail-lucene-dev-archive@www.apache.org Delivered-To: apmail-lucene-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 15A829AC1 for ; Tue, 28 Feb 2012 19:42:12 +0000 (UTC) Received: (qmail 72616 invoked by uid 500); 28 Feb 2012 19:42:10 -0000 Delivered-To: apmail-lucene-dev-archive@lucene.apache.org Received: (qmail 72566 invoked by uid 500); 28 Feb 2012 19:42:10 -0000 Mailing-List: contact dev-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@lucene.apache.org Delivered-To: mailing list dev@lucene.apache.org Received: (qmail 72559 invoked by uid 99); 28 Feb 2012 19:42:10 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Feb 2012 19:42:10 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Feb 2012 19:42:07 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 3FCA533F0FE for ; Tue, 28 Feb 2012 19:41:46 +0000 (UTC) Date: Tue, 28 Feb 2012 19:41:46 +0000 (UTC) From: "Erik Hatcher (Commented) (JIRA)" To: dev@lucene.apache.org Message-ID: <933535201.29879.1330458106262.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1963294774.16246.1330109991301.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (SOLR-3161) Use of 'qt' should be restricted to searching and should not start with a '/' MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/SOLR-3161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13218530#comment-13218530 ] Erik Hatcher commented on SOLR-3161: ------------------------------------ bq. I hope you verified that /select?qt=/ Did you mean that literally, as a single /? Anyway, with my patch (handleSelect=false and "/select" replacing the default "search" request handler), qt is nothing special. So /select?qt=/ is the same as /select since /select handler itself ignores qt. bq. What are your thoughts on my question to Hoss? IMO, if we're going the way of this DispatchingRequestHandler, then handleSelect should always be "false" and there should be no default request handler. Just map what you want to "/select" to make it the "default" since that's what the convention is. > Use of 'qt' should be restricted to searching and should not start with a '/' > ----------------------------------------------------------------------------- > > Key: SOLR-3161 > URL: https://issues.apache.org/jira/browse/SOLR-3161 > Project: Solr > Issue Type: Improvement > Components: search, web gui > Reporter: David Smiley > Assignee: David Smiley > Fix For: 3.6, 4.0 > > Attachments: SOLR-3161-dispatching-request-handler.patch > > > I haven't yet looked at the code involved for suggestions here; I'm speaking based on how I think things should work and not work, based on intuitiveness and security. In general I feel it is best practice to use '/' leading request handler names and not use "qt", but I don't hate it enough when used in limited (search-only) circumstances to propose its demise. But if someone proposes its deprecation that then I am +1 for that. > Here is my proposal: > Solr should error if the parameter "qt" is supplied with a leading '/'. (trunk only) > Solr should only honor "qt" if the target request handler extends solr.SearchHandler. > The new admin UI should only use 'qt' when it has to. For the query screen, it could present a little pop-up menu of handlers to choose from, including "/select?qt=mycustom" for handlers that aren't named with a leading '/'. This choice should be positioned at the top. > And before I forget, me or someone should investigate if there are any similar security problems with the shards.qt parameter. Perhaps shards.qt can abide by the same rules outlined above. > Does anyone foresee any problems with this proposal? > On a related subject, I think the notion of a default request handler is bad - the default="true" thing. Honestly I'm not sure what it does, since I noticed Solr trunk redirects '/solr/' to the new admin UI at '/solr/#/'. Assuming it doesn't do anything useful anymore, I think it would be clearer to use instead of what's there now. The delta is to put the leading '/' on this request handler name, and remove the "default" attribute. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional commands, e-mail: dev-help@lucene.apache.org