is there a way to prevent abusing rows parameter

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

is there a way to prevent abusing rows parameter

solr-user
silly question

is there any configuration value I can set to prevent someone from entering a bad value for the rows parameter?

ie to prevent something like "&rows=100000000"  from crashing my servers?

the server I am looking at is a solr v3.6
Reply | Threaded
Open this post in threaded view
|

Re: is there a way to prevent abusing rows parameter

Jack Krupansky-2
You could set an "invariant" parameter value, but that would mean they can't
give an override.

It might be a useful addition to Solr to have a maximum value (specified as
an invariant).

You could also simply add your own Solr "search component" that checked and
maxed the &rows.

-- Jack Krupansky

-----Original Message-----
From: solr-user
Sent: Tuesday, November 20, 2012 8:23 PM
To: [hidden email]
Subject: is there a way to prevent abusing rows parameter

silly question

is there any configuration value I can set to prevent someone from entering
a bad value for the rows parameter?

ie to prevent something like "&rows=100000000"  from crashing my servers?

the server I am looking at is a solr v3.6



--
View this message in context:
http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467.html
Sent from the Solr - User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: is there a way to prevent abusing rows parameter

Alexandre Rafalovitch
In reply to this post by solr-user
Does that 'someone' has direct access to Solr endpoint? Is that a right
thing to do in a first place?

But assuming they do (e.g. intranet), you could build on Jack's suggestion
and create a couple of query-handler end-points that are only different in
invariant raw count value. So, your default search goes to search10, your
25 results page goes to search25, etc.

Regards,
   Alex.

Personal blog: http://blog.outerthoughts.com/
LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
- Time is the quality of nature that keeps events from happening all at
once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)


On Tue, Nov 20, 2012 at 8:23 PM, solr-user <[hidden email]> wrote:

> silly question
>
> is there any configuration value I can set to prevent someone from entering
> a bad value for the rows parameter?
>
> ie to prevent something like "&rows=100000000"  from crashing my servers?
>
> the server I am looking at is a solr v3.6
>
>
>
> --
> View this message in context:
> http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: is there a way to prevent abusing rows parameter

solr-user
In reply to this post by solr-user
Thanks guys.  This is a problem with the front end not validating requests.  I was hoping there might be a simple config value I could enter/change, rather than going the long process of migrating a proper fix all the way up to our production servers.  Looks like not, but thx.
Reply | Threaded
Open this post in threaded view
|

Re: is there a way to prevent abusing rows parameter

Amit Nithian
If you're going to validate the rows parameter, may as well validate the
start parameter too.. I've run into problems with start and rows with
ridiculously high values crash our servers.


On Thu, Nov 22, 2012 at 9:58 AM, solr-user <[hidden email]> wrote:

> Thanks guys.  This is a problem with the front end not validating requests.
> I was hoping there might be a simple config value I could enter/change,
> rather than going the long process of migrating a proper fix all the way up
> to our production servers.  Looks like not, but thx.
>
>
>
> --
> View this message in context:
> http://lucene.472066.n3.nabble.com/is-there-a-way-to-prevent-abusing-rows-parameter-tp4021467p4021892.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>