Shawn The easy solution is to put something like solr-security-proxy [1] in front of a Solr/Velocity app, and this is working for me. However, this has a blacklist for Solr parms and I think it should have a whitelist instead. Also, it does not check ranges or filter chars. Is this proxy adequate for use on the open internet? In particular, what character filtering should I add to it? Thanks Rick
[1] https://github.com/dergachev/solr-security-proxy On January 6, 2018 11:55:35 AM EST, Shawn Heisey <apa...@elyograg.org> wrote: >On 1/5/2018 6:26 PM, Rick Leir wrote: >> Erik, Sorry I didn't mean to say Velocity has a security problem. I >am just thinking that people will see it in action and think it is a >full answer to a front end web app, though it has no input filtering or >range checking ( as an output template system, natcch). >> What do you recommend for a very basic input filter in front of Solr >with Velocity? > >One thing to keep in mind is that Solr should not be exposed to end >users. > >The velocity implementation that ships with Solr as the /browse handler > >requires the user to have direct access to Solr, because the requests >to >Solr are made by the user's browser. The /browse handler is a good >demonstration of what Solr can do, but it is not suitable for >production. > >I'm not familiar with velocity at all, but I do think anything that >requires exposing Solr to an end user is a possible security problem. > >Thanks, >Shawn -- Sorry for being brief. Alternate email is rickleir at yahoo dot com
