On Tue, 2007-11-06 at 11:52 -0500, Micah Wedemeyer wrote: > Are there any security risks to passing a query directly to Solr without > doing any sort of escaping? I am using URL encoding, so '&' and such > are being encoded into their %XX equivalents. > > Still, should I be doing anything else? Is there such a thing as a > Solr-injection attack?
http://wiki.apache.org/solr/mySolr "Typically it's not recommended do have your front end users/clients hitting Solr directly as part of an HTML form submit ... the more conventional way to think of it is that Solr is a backend service, which your application can talk to over HTTP -- if you were dealing with a database, you wouldn't expect that you could generate an HTML form for your clients and then have them submit that form in some way that resulted in their browser using JDBC (or ODBC) to communicate directly with your database, their client would communicate with your App, which would validate their input, impose some security checks on the input, and then execute the underlying query to your database -- working with Solr should be very similar, it just so happens that instead of using JDBC or some other binary protocol, Solr uses HTTP, and you *can* talk to it directly from a web browser, but that's really more of a debugging feature then anything else." HTH salu2 > > Thanks, > Micah -- Thorsten Scherler thorsten.at.apache.org Open Source Java consulting, training and solutions
