For Open ONI, we're considering just forking the repo to avoid this problem. A simple prototype has verified that it's trivial to construct a "value" which can run arbitrary code before the key check occurs. Given how often data is going to be stored from unknown sources, this just isn't an option for us.
This is extremely dangerous when processing field settings from untrusted sources: https://github.com/search5/solrpy/blob/master/solr/core.py#L1116
For Open ONI, we're considering just forking the repo to avoid this problem. A simple prototype has verified that it's trivial to construct a "value" which can run arbitrary code before the key check occurs. Given how often data is going to be stored from unknown sources, this just isn't an option for us.