Disabling XmlQParserPlugin through solrconfig

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling XmlQParserPlugin through solrconfig

Manikandan Sivanesan
I'm looking for a way to disable the query parser XmlQParserPlugin
(org.apache.solr.search.XmlQParserPlugin) through solrconfig.xml .
Following the instructions mentioned here
<https://wiki.apache.org/solr/SolrConfigXml#Enable.2Fdisable_components> to
disable a query parser.

This is the part that I added to solrconfig.
<queryParser name="xmlparser" class="XmlQParserPlugin"
enable="{enable.xmlparser:false}/>

I have uploaded it to zk and reloaded the collection. But I still see the
XmlQParserPlugin loaded in
in the Plugin/Stats => QUERYPARSER section of Solr Admin Console.


Any advise on this?
Thank you for your time.
--
Manikandan Sivanesan
Senior Software Engineer
Reply | Threaded
Open this post in threaded view
|

Re: Disabling XmlQParserPlugin through solrconfig

Manikandan Sivanesan
Sorry noticed the typo. Am providing the corrected version
    <queryParser name="xmlparser" class="XmlQParserPlugin"
enable="{enable.xmlparser:false}"/>

On Thu, Oct 12, 2017 at 5:18 PM, Manikandan Sivanesan <[hidden email]>
wrote:

> I'm looking for a way to disable the query parser XmlQParserPlugin
> (org.apache.solr.search.XmlQParserPlugin) through solrconfig.xml .
> Following the instructions mentioned here
> <https://wiki.apache.org/solr/SolrConfigXml#Enable.2Fdisable_components>
> to disable a query parser.
>
> This is the part that I added to solrconfig.
> <queryParser name="xmlparser" class="XmlQParserPlugin"
> enable="{enable.xmlparser:false}/>
>
> I have uploaded it to zk and reloaded the collection. But I still see the
> XmlQParserPlugin loaded in
> in the Plugin/Stats => QUERYPARSER section of Solr Admin Console.
>
>
> Any advise on this?
> Thank you for your time.
> --
> Manikandan Sivanesan
> Senior Software Engineer
>



--
Manikandan Sivanesan
Senior Software Engineer
Reply | Threaded
Open this post in threaded view
|

Re: Disabling XmlQParserPlugin through solrconfig

Shawn Heisey-2
In reply to this post by Manikandan Sivanesan
On 10/12/2017 3:18 PM, Manikandan Sivanesan wrote:

> I'm looking for a way to disable the query parser XmlQParserPlugin
> (org.apache.solr.search.XmlQParserPlugin) through solrconfig.xml .
> Following the instructions mentioned here
> <https://wiki.apache.org/solr/SolrConfigXml#Enable.2Fdisable_components> to
> disable a query parser.
>
> This is the part that I added to solrconfig.
> <queryParser name="xmlparser" class="XmlQParserPlugin"
> enable="{enable.xmlparser:false}/>
>
> I have uploaded it to zk and reloaded the collection. But I still see the
> XmlQParserPlugin loaded in
> in the Plugin/Stats => QUERYPARSER section of Solr Admin Console.

Through experimentation, I was able to figure out that the configuration
of query parsers DOES support the "enable" attribute.  Initially I
thought it might not.

With this invalid configuration (the class is missing a character), Solr
will start correctly:

<queryParser name="flibble" class="solr.XmlQParserPlugi" enable="false"/>

But if I change the enable attribute to "true" instead of "false", Solr
will NOT successfully load the core with that config, because it
contains a class that cannot be found.

The actual problem you're running into is that almost every query parser
implementation that Solr has is hard-coded and explicitly loaded by code
in QParserPlugin.  One of those parsers is the XML parser that you want
to disable.

I think it would be a good idea to go through the list of hard-coded
parsers in the QParserPlugin class and make it a MUCH smaller list. 
Some of the parsers, especially the XML parser, probably should require
explicit configuration rather than being included by default.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: Disabling XmlQParserPlugin through solrconfig

Trey Grainger
You can also just "replace" the registered xml query parser with another
parser. I imagine you're doing this for security reasons, which means you
just want the actual xml query parser to not be executable through a query.
Try adding the following line to your solrconfig.xml:
    <queryParser name=“xmlparser” class=“solr.ExtendedDismaxQParserPlugin”
/>

This way, the xml query parser is loaded in as a version of the eDismax
query parser instead, and any queries the are trying to reference the xml
query parser through local params will instead hit the eDismax query parser
and use its parsing logic instead.

All the best,

Trey Grainger
SVP of Engineering @ Lucidworks
Co-author, Solr in Action <http://solrinaction.com/>
http://www.treygrainger.com

-

On Thu, Oct 12, 2017 at 6:56 PM, Shawn Heisey <[hidden email]> wrote:

> On 10/12/2017 3:18 PM, Manikandan Sivanesan wrote:
>
>> I'm looking for a way to disable the query parser XmlQParserPlugin
>> (org.apache.solr.search.XmlQParserPlugin) through solrconfig.xml .
>> Following the instructions mentioned here
>> <https://wiki.apache.org/solr/SolrConfigXml#Enable.2Fdisable_components>
>> to
>> disable a query parser.
>>
>> This is the part that I added to solrconfig.
>> <queryParser name="xmlparser" class="XmlQParserPlugin"
>> enable="{enable.xmlparser:false}/>
>>
>> I have uploaded it to zk and reloaded the collection. But I still see the
>> XmlQParserPlugin loaded in
>> in the Plugin/Stats => QUERYPARSER section of Solr Admin Console.
>>
>
> Through experimentation, I was able to figure out that the configuration
> of query parsers DOES support the "enable" attribute.  Initially I thought
> it might not.
>
> With this invalid configuration (the class is missing a character), Solr
> will start correctly:
>
> <queryParser name="flibble" class="solr.XmlQParserPlugi" enable="false"/>
>
> But if I change the enable attribute to "true" instead of "false", Solr
> will NOT successfully load the core with that config, because it contains a
> class that cannot be found.
>
> The actual problem you're running into is that almost every query parser
> implementation that Solr has is hard-coded and explicitly loaded by code in
> QParserPlugin.  One of those parsers is the XML parser that you want to
> disable.
>
> I think it would be a good idea to go through the list of hard-coded
> parsers in the QParserPlugin class and make it a MUCH smaller list.  Some
> of the parsers, especially the XML parser, probably should require explicit
> configuration rather than being included by default.
>
> Thanks,
> Shawn
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Disabling XmlQParserPlugin through solrconfig

Manikandan Sivanesan
Thanks a lot. This is the suggestion we are proceeding forward with.

On Thu, Oct 12, 2017 at 7:59 PM, Trey Grainger <[hidden email]> wrote:

> You can also just "replace" the registered xml query parser with another
> parser. I imagine you're doing this for security reasons, which means you
> just want the actual xml query parser to not be executable through a query.
> Try adding the following line to your solrconfig.xml:
>     <queryParser name=“xmlparser” class=“solr.ExtendedDismaxQParserPlugin”
> />
>
> This way, the xml query parser is loaded in as a version of the eDismax
> query parser instead, and any queries the are trying to reference the xml
> query parser through local params will instead hit the eDismax query parser
> and use its parsing logic instead.
>
> All the best,
>
> Trey Grainger
> SVP of Engineering @ Lucidworks
> Co-author, Solr in Action <http://solrinaction.com/>
> http://www.treygrainger.com
>
> -
>
> On Thu, Oct 12, 2017 at 6:56 PM, Shawn Heisey <[hidden email]> wrote:
>
> > On 10/12/2017 3:18 PM, Manikandan Sivanesan wrote:
> >
> >> I'm looking for a way to disable the query parser XmlQParserPlugin
> >> (org.apache.solr.search.XmlQParserPlugin) through solrconfig.xml .
> >> Following the instructions mentioned here
> >> <https://wiki.apache.org/solr/SolrConfigXml#Enable.2Fdisable_components
> >
> >> to
> >> disable a query parser.
> >>
> >> This is the part that I added to solrconfig.
> >> <queryParser name="xmlparser" class="XmlQParserPlugin"
> >> enable="{enable.xmlparser:false}/>
> >>
> >> I have uploaded it to zk and reloaded the collection. But I still see
> the
> >> XmlQParserPlugin loaded in
> >> in the Plugin/Stats => QUERYPARSER section of Solr Admin Console.
> >>
> >
> > Through experimentation, I was able to figure out that the configuration
> > of query parsers DOES support the "enable" attribute.  Initially I
> thought
> > it might not.
> >
> > With this invalid configuration (the class is missing a character), Solr
> > will start correctly:
> >
> > <queryParser name="flibble" class="solr.XmlQParserPlugi" enable="false"/>
> >
> > But if I change the enable attribute to "true" instead of "false", Solr
> > will NOT successfully load the core with that config, because it
> contains a
> > class that cannot be found.
> >
> > The actual problem you're running into is that almost every query parser
> > implementation that Solr has is hard-coded and explicitly loaded by code
> in
> > QParserPlugin.  One of those parsers is the XML parser that you want to
> > disable.
> >
> > I think it would be a good idea to go through the list of hard-coded
> > parsers in the QParserPlugin class and make it a MUCH smaller list.  Some
> > of the parsers, especially the XML parser, probably should require
> explicit
> > configuration rather than being included by default.
> >
> > Thanks,
> > Shawn
> >
> >
>



--
Manikandan Sivanesan
Senior Software Engineer