[
https://issues.apache.org/jira/browse/SOLR-3161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13227629#comment-13227629
]
David Smiley commented on SOLR-3161:
------------------------------------
bq. Yonik: I don't think we should remove the ability to use qt with /-prefixed
handlers, esp since the current patch here would disable "qt" by default.
Ok. In my view, the worst part of qt=/update is that it's not actually a
search. I'd love adding the SearchHandler instanceof restriction. However
Hoss says he doesn't like it:
bq. 2) assuming qt should be allowed only if it is an instance of
solr.SearchHandler seems narrow minded to me – it puts a totally arbitrary
limitation on the ability for people to have their own request handlers that
are treated as "first class citizens" and seems just as likely to lead to
suprise and frustration as it is to appreciation for the "safety" of the
feature (not to mention it procludes perfectly safe "query" type handlers like
MLTHnadler and AnalysisRequestHandler
Hoss, my answer to you is to not use 'qt' for these cases; register the
handlers with a leading '/', and for that matter, Erik and I _suggest_ that
'qt' not get used at all although we acknowledge it's still there for those
that love it.
Perhaps the restriction to appease most people's wishes should be to error IFF
qt starts with a '/' AND it doesn't extend SearchHandler.
~ David
> Use of 'qt' should be restricted to searching and should not start with a '/'
> -----------------------------------------------------------------------------
>
> Key: SOLR-3161
> URL: https://issues.apache.org/jira/browse/SOLR-3161
> Project: Solr
> Issue Type: Improvement
> Components: search, web gui
> Reporter: David Smiley
> Assignee: David Smiley
> Fix For: 3.6, 4.0
>
> Attachments: SOLR-3161-disable-qt-by-default.patch,
> SOLR-3161-dispatching-request-handler.patch,
> SOLR-3161-dispatching-request-handler.patch
>
>
> I haven't yet looked at the code involved for suggestions here; I'm speaking
> based on how I think things should work and not work, based on intuitiveness
> and security. In general I feel it is best practice to use '/' leading
> request handler names and not use "qt", but I don't hate it enough when used
> in limited (search-only) circumstances to propose its demise. But if someone
> proposes its deprecation that then I am +1 for that.
> Here is my proposal:
> Solr should error if the parameter "qt" is supplied with a leading '/'.
> (trunk only)
> Solr should only honor "qt" if the target request handler extends
> solr.SearchHandler.
> The new admin UI should only use 'qt' when it has to. For the query screen,
> it could present a little pop-up menu of handlers to choose from, including
> "/select?qt=mycustom" for handlers that aren't named with a leading '/'. This
> choice should be positioned at the top.
> And before I forget, me or someone should investigate if there are any
> similar security problems with the shards.qt parameter. Perhaps shards.qt can
> abide by the same rules outlined above.
> Does anyone foresee any problems with this proposal?
> On a related subject, I think the notion of a default request handler is bad
> - the default="true" thing. Honestly I'm not sure what it does, since I
> noticed Solr trunk redirects '/solr/' to the new admin UI at '/solr/#/'.
> Assuming it doesn't do anything useful anymore, I think it would be clearer
> to use <requestHandler name="/select" class="solr.SearchHandler"> instead of
> what's there now. The delta is to put the leading '/' on this request handler
> name, and remove the "default" attribute.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
