solr-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tulsi Das <tulsi.das1...@gmail.com>
Subject Re: Defense against deep paging?
Date Fri, 25 Jun 2021 21:06:40 GMT
Hi Walter,
Probably you can check below repo and use it to sanitize the deep paging
params.

https://github.com/cominvent/request-sanitizer-component#requestsanitizercomponent

On Sat, 26 Jun, 2021, 2:09 am Walter Underwood, <wunder@wunderwood.org>
wrote:

> Thanks, that is exactly the info I wanted! I’ve commented there, even
> though it is closed as Won’t Do.
>
> wunder
> Walter Underwood
> wunder@wunderwood.org
> http://observer.wunderwood.org/  (my blog)
>
> > On Jun 25, 2021, at 12:46 PM, Mike Drob <mdrob@mdrob.com> wrote:
> >
> > This was discussed somewhat in
> > https://issues.apache.org/jira/browse/SOLR-15252 with no
> > implementation provided.
> >
> > On Fri, Jun 25, 2021 at 11:52 AM Walter Underwood <wunder@wunderwood.org>
> wrote:
> >>
> >> I already said that we have a limit in the client code. I’m asking
> about a limit in Solr.
> >>
> >> wunder
> >> Walter Underwood
> >> wunder@wunderwood.org
> >> http://observer.wunderwood.org/  (my blog)
> >>
> >>> On Jun 25, 2021, at 11:50 AM, Håvard Wahl Kongsgård <
> haavard.kongsgaard@gmail.com> wrote:
> >>>
> >>> Just create a proxy client between the user and solr. Set if page >=
> 500 ….
> >>> else
> >>>
> >>> Simple stuff
> >>>
> >>> fre. 25. jun. 2021 kl. 19:20 skrev Walter Underwood <
> wunder@wunderwood.org>:
> >>>
> >>>> Has anyone implemented protection against deep paging inside Solr? I’m
> >>>> thinking about something like a max_rows parameter, where if
> start+rows was
> >>>> greater than that, it would limit the max result to that number. Or
> maybe
> >>>> just return a 400, that would be OK too.
> >>>>
> >>>> I’ve had three or four outages caused by deep paging over the past
> dozen
> >>>> years with Solr. We implement a limit in the client code, then someone
> >>>> forgets to add it to the redesigned client code. A limit in the
> request
> >>>> handler would be so much easier.
> >>>>
> >>>> And yes, I know about cursor marks. We don’t want to enable deep
> paging,
> >>>> we want to stop it.
> >>>>
> >>>> wunder
> >>>> Walter Underwood
> >>>> wunder@wunderwood.org
> >>>> http://observer.wunderwood.org/  (my blog)
> >>>>
> >>>> --
> >>> Håvard Wahl Kongsgård
> >>> Data Scientist
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message