Re: escaping characters and security

[Thorsten Scherler <th...@juntadeandalucia.es>]

On Tue, 2007-11-06 at 11:52 -0500, Micah Wedemeyer wrote:
> Are there any security risks to passing a query directly to Solr without
> doing any sort of escaping?  I am using URL encoding, so '&' and such
> are being encoded into their %XX equivalents.
> 
> Still, should I be doing anything else?  Is there such a thing as a
> Solr-injection attack?

http://wiki.apache.org/solr/mySolr

"Typically it's not recommended do have your front end users/clients
hitting Solr directly as part of an HTML form submit ... the more
conventional way to think of it is that Solr is a backend service, which
your application can talk to over HTTP -- if you were dealing with a
database, you wouldn't expect that you could generate an HTML form for
your clients and then have them submit that form in some way that
resulted in their browser using JDBC (or ODBC) to communicate directly
with your database, their client would communicate with your App, which
would validate their input, impose some security checks on the input,
and then execute the underlying query to your database -- working with
Solr should be very similar, it just so happens that instead of using
JDBC or some other binary protocol, Solr uses HTTP, and you *can* talk
to it directly from a web browser, but that's really more of a debugging
feature then anything else."

HTH

salu2

> 
> Thanks,
> Micah
-- 
Thorsten Scherler                                 thorsten.at.apache.org
Open Source Java                      consulting, training and solutions