Security question with demo... feedback sought.

["Stone, Timothy" <ts...@cityofhbg.com>]

List,

Bear with me as I recount my learning process. My questions follow:

I have deployed the demo successfully, with some edits for results display and the like (really superficial in nature overall). One thing I did do was display the query back to the user in the result page. In doing so, I introduced a possibly security hole. This stems from something I noticed about the demo: it has no real input validation to speak of. Hey, it's a demo, I'm not pointing fingers. Input validation is the implementors responsibility, and I have accepted that responsibility.

My problem can be seen in the following examples. I entered a simple query:

<script>alert("test")</script>

The results returned alright... after displaying a javascript alert. This of course could be a bridge for more sophisticated cross-site scripting attacks. The following query *DID NOT WORK*:

<script>alert(document.cookie)</script>

Typing the same thing in the location bar using the javascript pseudo protocol *DOES WORK*:

javascript:alert(document.cookie)

Why the former cookie alert worked and the latter did not is possibly a built in security feature of Tomcat, I'm not sure (feedback sought here).

My first pass at solving the problem was to filter the query for display using the static Entities.encode() method provided with the demo. This seems to have fixed the alert in the results page, the query is properly displayed as clear text, like a PRE element might display it.

1. If anyone can provide some feedback on this solution I would appreciate it. Examples of other modifications to the demo to beef up input validation are sought too. (I have considered writing a character replacement method for the queries, but I think this could impact performance.)

Another question, somewhat unrelated, is given a query:

<script>alert("test")</script>

Results are returned matching the quoted portion, in this example "test". 

2. Can someone more familiar with the Lucene engine elaborate on why this works?

Thanks!
Tim

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

A little field help

[Rob Outar <ro...@ideorlando.org>]

Sorry for this question if I missed it in a FAQ or something, but I am a
little confused on what field I should use. I need to search on all the
fields I specify for the document and they should not be tokenized --
whatever I store as the value should stay in the same form.  I am thinking I
should be using:

static Field UnIndexed(String name, String value)
          Constructs a String-valued Field that is not tokenized nor
indexed, but is stored in the index, for return with hits.

for my fields?

Let me know.

Thanks,

Rob


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>