lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Walter Underwood <>
Subject Re: Leading wildcards
Date Mon, 23 Apr 2007 22:07:35 GMT
Here is a late response, was rejecting our e-mails...

Allowing leading wildcards opens up a denial of service attack. It becomes
trivial to overload the search engine and take it out of service, just
hammer it with leading wildcard queries. Please leave the default as
disabled. If we add a config option, there should be a  security warning
with it.


On 4/19/07 8:04 AM, "Michael Kimsal" <> wrote:

> It still seems like it's only something that would be invoked by a user's
> query.
> If I queried for *foobar and leading wildcards were not on in the server,
> I'd get back nothing, which isn't really correct.  I'd think the application
> should
> tell the user that that syntax isn't supported.
> Perhaps I'm simplifying it a bit.  It would certainly help out our comfort
> level
> to have it either be on or configurable by default, rather than having to
> maintain a
> 'patched' version (yes, the patch is only one line, but it's the principle
> of the thing).
> I suspect this would be the same for others.
> On 4/19/07, Erik Hatcher <> wrote:
>> On Apr 19, 2007, at 10:39 AM, Yonik Seeley wrote:
>>> On 4/19/07, Erik Hatcher <> wrote:
>>>>> parser.setAllowLeadingWildcards(true);
>>>> I have also run into this issue and have intended to fix up Solr to
>>>> allow configuring that switch on QueryParser.
>>> Any reason that parser.setAllowLeadingWildcards(true) shouldn't be
>>> the default?
>> That's fine by me.  But...
>>> Does it really need to be configurable?
>> It all depends on how bad of a hit it'd take on Solr.   What's the
>> breaking point where the performance of full-term scanning (and
>> subsequently faceting, of course) kills over or dies?   FuzzyQuery's
>> die on my 3.7M index and not-super-beefy hardware and system setup.
>>         Erik

View raw message