On 1/5/2018 6:26 PM, Rick Leir wrote:
Erik, Sorry I didn't mean to say Velocity has a security problem. I am just
thinking that people will see it in action and think it is a full answer to a
front end web app, though it has no input filtering or range checking ( as an
output template system, natcch).
What do you recommend for a very basic input filter in front of Solr with
Velocity?
One thing to keep in mind is that Solr should not be exposed to end users.
The velocity implementation that ships with Solr as the /browse handler
requires the user to have direct access to Solr, because the requests to
Solr are made by the user's browser. The /browse handler is a good
demonstration of what Solr can do, but it is not suitable for production.
I'm not familiar with velocity at all, but I do think anything that
requires exposing Solr to an end user is a possible security problem.
Thanks,
Shawn
