solr-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Walter Underwood <wun...@wunderwood.org>
Subject Re: Defense against deep paging?
Date Fri, 25 Jun 2021 21:21:17 GMT
Oooh, very nice. Thanks!

wunder
Walter Underwood
wunder@wunderwood.org
http://observer.wunderwood.org/  (my blog)

> On Jun 25, 2021, at 2:06 PM, Tulsi Das <tulsi.das1286@gmail.com> wrote:
> 
> Hi Walter,
> Probably you can check below repo and use it to sanitize the deep paging
> params.
> 
> https://github.com/cominvent/request-sanitizer-component#requestsanitizercomponent
> 
> On Sat, 26 Jun, 2021, 2:09 am Walter Underwood, <wunder@wunderwood.org>
> wrote:
> 
>> Thanks, that is exactly the info I wanted! I’ve commented there, even
>> though it is closed as Won’t Do.
>> 
>> wunder
>> Walter Underwood
>> wunder@wunderwood.org
>> http://observer.wunderwood.org/  (my blog)
>> 
>>> On Jun 25, 2021, at 12:46 PM, Mike Drob <mdrob@mdrob.com> wrote:
>>> 
>>> This was discussed somewhat in
>>> https://issues.apache.org/jira/browse/SOLR-15252 with no
>>> implementation provided.
>>> 
>>> On Fri, Jun 25, 2021 at 11:52 AM Walter Underwood <wunder@wunderwood.org>
>> wrote:
>>>> 
>>>> I already said that we have a limit in the client code. I’m asking
>> about a limit in Solr.
>>>> 
>>>> wunder
>>>> Walter Underwood
>>>> wunder@wunderwood.org
>>>> http://observer.wunderwood.org/  (my blog)
>>>> 
>>>>> On Jun 25, 2021, at 11:50 AM, Håvard Wahl Kongsgård <
>> haavard.kongsgaard@gmail.com> wrote:
>>>>> 
>>>>> Just create a proxy client between the user and solr. Set if page >=
>> 500 ….
>>>>> else
>>>>> 
>>>>> Simple stuff
>>>>> 
>>>>> fre. 25. jun. 2021 kl. 19:20 skrev Walter Underwood <
>> wunder@wunderwood.org>:
>>>>> 
>>>>>> Has anyone implemented protection against deep paging inside Solr?
I’m
>>>>>> thinking about something like a max_rows parameter, where if
>> start+rows was
>>>>>> greater than that, it would limit the max result to that number.
Or
>> maybe
>>>>>> just return a 400, that would be OK too.
>>>>>> 
>>>>>> I’ve had three or four outages caused by deep paging over the past
>> dozen
>>>>>> years with Solr. We implement a limit in the client code, then someone
>>>>>> forgets to add it to the redesigned client code. A limit in the
>> request
>>>>>> handler would be so much easier.
>>>>>> 
>>>>>> And yes, I know about cursor marks. We don’t want to enable deep
>> paging,
>>>>>> we want to stop it.
>>>>>> 
>>>>>> wunder
>>>>>> Walter Underwood
>>>>>> wunder@wunderwood.org
>>>>>> http://observer.wunderwood.org/  (my blog)
>>>>>> 
>>>>>> --
>>>>> Håvard Wahl Kongsgård
>>>>> Data Scientist
>>>> 
>> 
>> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message