+1, I agree. Opened https://issues.apache.org/jira/browse/SOLR-8099 Thanks, Ishan
On Sun, Sep 27, 2015 at 5:22 AM, Doug Turnbull < dturnb...@opensourceconnections.com> wrote: > Relevant code > > http://grepcode.com/file/repo1.maven.org/maven2/org.apache.solr/solr-core/5.2.0/org/apache/solr/search/ValueSourceParser.java#126 > > On Saturday, September 26, 2015, Doug Turnbull < > dturnb...@opensourceconnections.com> wrote: > > > I noticed a while back that "sleep" is a function query. Which I > > believe means I can make the current query thread sleep for as long as I > > like. > > > > I'm guessing an attacker could use this to starve Solr of threads, > running > > a denial of service attack by running multiple queries with sleeps in > them. > > > > Is this a concern? I realize there may be test purposes to sleep a > > function query, but I'm trying to think if there's really practical > purpose > > to having sleep here. > > > > Best, > > -Doug > > > > > > -- > > *Doug Turnbull **| *Search Relevance Consultant | OpenSource Connections > > <http://opensourceconnections.com>, LLC | 240.476.9983 > > Author: Relevant Search <http://manning.com/turnbull> > > This e-mail and all contents, including attachments, is considered to be > > Company Confidential unless explicitly stated otherwise, regardless > > of whether attachments are marked as such. > > > > > > -- > *Doug Turnbull **| *Search Relevance Consultant | OpenSource Connections > <http://opensourceconnections.com>, LLC | 240.476.9983 > Author: Relevant Search <http://manning.com/turnbull> > This e-mail and all contents, including attachments, is considered to be > Company Confidential unless explicitly stated otherwise, regardless > of whether attachments are marked as such. >
