Return-Path: X-Original-To: apmail-lucene-dev-archive@www.apache.org Delivered-To: apmail-lucene-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 60EBF9094 for ; Thu, 29 Mar 2012 04:44:37 +0000 (UTC) Received: (qmail 25475 invoked by uid 500); 29 Mar 2012 04:44:36 -0000 Delivered-To: apmail-lucene-dev-archive@lucene.apache.org Received: (qmail 25347 invoked by uid 500); 29 Mar 2012 04:44:35 -0000 Mailing-List: contact dev-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@lucene.apache.org Delivered-To: mailing list dev@lucene.apache.org Received: (qmail 25309 invoked by uid 99); 29 Mar 2012 04:44:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Mar 2012 04:44:35 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Mar 2012 04:44:33 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 5475834B8C7 for ; Thu, 29 Mar 2012 04:44:13 +0000 (UTC) Date: Thu, 29 Mar 2012 04:44:13 +0000 (UTC) From: "David Smiley (Commented) (JIRA)" To: dev@lucene.apache.org Message-ID: <1065182689.31264.1332996253426.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1963294774.16246.1330109991301.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (SOLR-3161) Use of 'qt' should be restricted to searching and should not start with a '/' MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/SOLR-3161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13240963#comment-13240963 ] David Smiley commented on SOLR-3161: ------------------------------------ As an aside, this default request handler patch should probably have been another JIRA issue instead of this JIRA issue including several different things including clarifying the default config. I stupidly committed the patch without testing and it broke the build because solr/core/src/test-files/solr/conf/solrconfig.xml (and possibly other test configs) has a (with no default="true"). Either the config(s) should be updated to be "/select" based (which I don't mind doing) or I could add back "standard" as eligible for default request handler nomination. I committed the latter now because it's the safest. /select should takes precedence. I also committed a warning message if there is none registered: {code} if(get("") == null) log.warn("no default request handler is registered (either '/select' or 'standard')"); {code} > Use of 'qt' should be restricted to searching and should not start with a '/' > ----------------------------------------------------------------------------- > > Key: SOLR-3161 > URL: https://issues.apache.org/jira/browse/SOLR-3161 > Project: Solr > Issue Type: Improvement > Components: search, web gui > Reporter: David Smiley > Assignee: David Smiley > Fix For: 4.0 > > Attachments: SOLR-3161-disable-qt-by-default.patch, SOLR-3161-dispatching-request-handler.patch, SOLR-3161-dispatching-request-handler.patch, SOLR-3161_limit_qt=_____to_refer_to_SearchHandlers,_and_shards_qt_likewise.patch, SOLR-3161_make_the_slash-select_request_handler_the_default.patch > > > I haven't yet looked at the code involved for suggestions here; I'm speaking based on how I think things should work and not work, based on intuitiveness and security. In general I feel it is best practice to use '/' leading request handler names and not use "qt", but I don't hate it enough when used in limited (search-only) circumstances to propose its demise. But if someone proposes its deprecation that then I am +1 for that. > Here is my proposal: > Solr should error if the parameter "qt" is supplied with a leading '/'. (trunk only) > Solr should only honor "qt" if the target request handler extends solr.SearchHandler. > The new admin UI should only use 'qt' when it has to. For the query screen, it could present a little pop-up menu of handlers to choose from, including "/select?qt=mycustom" for handlers that aren't named with a leading '/'. This choice should be positioned at the top. > And before I forget, me or someone should investigate if there are any similar security problems with the shards.qt parameter. Perhaps shards.qt can abide by the same rules outlined above. > Does anyone foresee any problems with this proposal? > On a related subject, I think the notion of a default request handler is bad - the default="true" thing. Honestly I'm not sure what it does, since I noticed Solr trunk redirects '/solr/' to the new admin UI at '/solr/#/'. Assuming it doesn't do anything useful anymore, I think it would be clearer to use instead of what's there now. The delta is to put the leading '/' on this request handler name, and remove the "default" attribute. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional commands, e-mail: dev-help@lucene.apache.org