lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Smiley (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-3161) Use of 'qt' should be restricted to searching and should not start with a '/'
Date Fri, 23 Mar 2012 14:25:28 GMT

     [ https://issues.apache.org/jira/browse/SOLR-3161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Smiley updated SOLR-3161:
-------------------------------

    Attachment: SOLR-3161_limit_qt=_____to_refer_to_SearchHandlers,_and_shards_qt_likewise.patch

Attached is a patch for 3x that does two things:
* SolrDispatchFilter will now throw an error if 'qt' starts with a '/' and doesn't extend
from SearchHandler.  I added a test ensuring qt=/update errors.
* SolrCore checks if isShard=true and then requires the target request handler to be a SearchHandler.
 I added a test for this. The check for this seemed a little out of place but I can't think
of anything better.

All tests pass.

The changes.txt entry is: 
* SOLR-3161: Don't use the 'qt' parameter with a leading '/'.  It probably won't work in 4.0
and it's now limited in 3.6 to SearchHandler subclasses that aren't lazy-loaded.

I propose I commit this to both 3x and trunk in ~2 days to allow time for review.

For 4.0, I think Erik and I (and Hoss?) are of like minds.  Introduce the uber-flexible DispatchingRequestHandler
to handle 'qt', AND remove handleSelect and related code that DispatchingRequestHandler renders
obsolete.  Erik and I would never use it but some of you clearly like 'qt'. Deprecated warnings
would need to be added to 3.x to warn people about handleSelect=true going away.  I suspect
the hardest part of this may be updating old tests that want to use 'qt'.  Thoughts?
                
> Use of 'qt' should be restricted to searching and should not start with a '/'
> -----------------------------------------------------------------------------
>
>                 Key: SOLR-3161
>                 URL: https://issues.apache.org/jira/browse/SOLR-3161
>             Project: Solr
>          Issue Type: Improvement
>          Components: search, web gui
>            Reporter: David Smiley
>            Assignee: David Smiley
>             Fix For: 3.6, 4.0
>
>         Attachments: SOLR-3161-disable-qt-by-default.patch, SOLR-3161-dispatching-request-handler.patch,
SOLR-3161-dispatching-request-handler.patch, SOLR-3161_limit_qt=_____to_refer_to_SearchHandlers,_and_shards_qt_likewise.patch
>
>
> I haven't yet looked at the code involved for suggestions here; I'm speaking based on
how I think things should work and not work, based on intuitiveness and security. In general
I feel it is best practice to use '/' leading request handler names and not use "qt", but
I don't hate it enough when used in limited (search-only) circumstances to propose its demise.
But if someone proposes its deprecation that then I am +1 for that.
> Here is my proposal:
> Solr should error if the parameter "qt" is supplied with a leading '/'. (trunk only)
> Solr should only honor "qt" if the target request handler extends solr.SearchHandler.
> The new admin UI should only use 'qt' when it has to. For the query screen, it could
present a little pop-up menu of handlers to choose from, including "/select?qt=mycustom" for
handlers that aren't named with a leading '/'. This choice should be positioned at the top.
> And before I forget, me or someone should investigate if there are any similar security
problems with the shards.qt parameter. Perhaps shards.qt can abide by the same rules outlined
above.
> Does anyone foresee any problems with this proposal?
> On a related subject, I think the notion of a default request handler is bad - the default="true"
thing. Honestly I'm not sure what it does, since I noticed Solr trunk redirects '/solr/' to
the new admin UI at '/solr/#/'. Assuming it doesn't do anything useful anymore, I think it
would be clearer to use <requestHandler name="/select" class="solr.SearchHandler"> instead
of what's there now. The delta is to put the leading '/' on this request handler name, and
remove the "default" attribute.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message