You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by Otis Gospodnetic <ot...@yahoo.com> on 2006/12/13 07:00:52 UTC
Lucene code review
Just spotted this on Slashdot: http://opensource.fortifysoftware.com/welcome.html
I wonder what the 3 defects they found and reviewed are... I don't see a way to see them from their site.
Otis
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Erik Hatcher <er...@ehatchersolutions.com>.
On Dec 16, 2006, at 3:44 AM, Chris Hostetter wrote:
> : what they were). Solr had cross-site scripting issues in its JSP
> : pages, which I think are now all fixed (?).
>
> SOLR-74, just resolved.
>
> I don't know if i'd really call them XSS issues: they are on the admin
> pages; if a malicious user has access to them, you've got bigger
> problems
> then them trying XSS exploits.
I concur. But, at the very least by fixing this, users input won't
mangle the output page with unescaped HTML. For example, a query of
"</html>" would probably have screwed up the output.
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Chris Hostetter <ho...@fucit.org>.
: what they were). Solr had cross-site scripting issues in its JSP
: pages, which I think are now all fixed (?).
SOLR-74, just resolved.
I don't know if i'd really call them XSS issues: they are on the admin
pages; if a malicious user has access to them, you've got bigger problems
then them trying XSS exploits.
-Hoss
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Doug Cutting <cu...@apache.org>.
Brian Chess wrote:
> I'd be happy to set up an account for anyone
> involved with the projects who'd like to take a look. (Because we're
> checking for security problems, we don't share specific findings with the
> general public.)
Thanks for doing this, Brian.
One possibility would be to generate Jira issues for these, perhaps even
automatically (Jira has an RPC interface). If the issue is a likely
security problem, then its Jira security level can be set so to only
permit members of the development team to view it.
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Fwd: Lucene code review
Posted by Erik Hatcher <er...@ehatchersolutions.com>.
(sorry if this is a duplicate post, wanted to be sure it made it
through)
Erik
Begin forwarded message:
> From: Brian Chess <br...@fortifysoftware.com>
> Date: December 15, 2006 1:42:13 AM EST
> To: Erik Hatcher <er...@ehatchersolutions.com>, <java-
> dev@lucene.apache.org>
> Cc: Gary McGraw <ge...@cigital.com>
> Subject: Re: Lucene code review
>
> Hi Erik, thanks for the intro. I'd be happy to set up an account
> for anyone
> involved with the projects who'd like to take a look. (Because we're
> checking for security problems, we don't share specific findings
> with the
> general public.)
>
> Erik is right, from Lucene, Nutch, and Solr, the most important
> things we
> found were the cross-site scripting bugs in Solr. There are a few
> more bugs
> that I think are worth looking at, but nothing to get worked up about.
>
> Brian
>
>> From: Erik Hatcher <er...@ehatchersolutions.com>
>> Date: Thu, 14 Dec 2006 23:43:33 -0500
>> To: <ja...@lucene.apache.org>
>> Cc: Brian Chess <br...@fortifysoftware.com>, Gary McGraw
>> <ge...@cigital.com>
>> Subject: Re: Lucene code review
>>
>>
>> On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
>>> Just spotted this on Slashdot: http://
>>> opensource.fortifysoftware.com/welcome.html
>>> I wonder what the 3 defects they found and reviewed are... I don't
>>> see a way to see them from their site.
>>
>> I had an early peek at the Fortify analysis of several open source
>> projects, primarily Lucene, Nutch, and Solr. Lucene and Nutch both
>> had very minor cosmetic issues (don't recall off the top of my head
>> what they were). Solr had cross-site scripting issues in its JSP
>> pages, which I think are now all fixed (?).
>>
>> Brian Chess at Fortify was instrumental in the analysis and is eager
>> to work with open source communities closely to have these types of
>> analyses automated and useful to the projects. I'm sure we'll hear
>> more from his organization in the near future.
>>
>> Erik
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Sami Siren <ss...@gmail.com>.
Erik Hatcher wrote:
> I have an account and I recommend at least a couple of the really active
> committers sign on as well. Yonik for sure! ;) Doug, of course (if he
> wants). Anyone else?
I am interested check out Nutch.
--
Sami Siren
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Erik Hatcher <er...@ehatchersolutions.com>.
I have an account and I recommend at least a couple of the really
active committers sign on as well. Yonik for sure! ;) Doug, of
course (if he wants). Anyone else?
Erik
On Dec 15, 2006, at 1:42 AM, Brian Chess wrote:
> Hi Erik, thanks for the intro. I'd be happy to set up an account
> for anyone
> involved with the projects who'd like to take a look. (Because we're
> checking for security problems, we don't share specific findings
> with the
> general public.)
>
> Erik is right, from Lucene, Nutch, and Solr, the most important
> things we
> found were the cross-site scripting bugs in Solr. There are a few
> more bugs
> that I think are worth looking at, but nothing to get worked up about.
>
> Brian
>
>> From: Erik Hatcher <er...@ehatchersolutions.com>
>> Date: Thu, 14 Dec 2006 23:43:33 -0500
>> To: <ja...@lucene.apache.org>
>> Cc: Brian Chess <br...@fortifysoftware.com>, Gary McGraw
>> <ge...@cigital.com>
>> Subject: Re: Lucene code review
>>
>>
>> On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
>>> Just spotted this on Slashdot: http://
>>> opensource.fortifysoftware.com/welcome.html
>>> I wonder what the 3 defects they found and reviewed are... I don't
>>> see a way to see them from their site.
>>
>> I had an early peek at the Fortify analysis of several open source
>> projects, primarily Lucene, Nutch, and Solr. Lucene and Nutch both
>> had very minor cosmetic issues (don't recall off the top of my head
>> what they were). Solr had cross-site scripting issues in its JSP
>> pages, which I think are now all fixed (?).
>>
>> Brian Chess at Fortify was instrumental in the analysis and is eager
>> to work with open source communities closely to have these types of
>> analyses automated and useful to the projects. I'm sure we'll hear
>> more from his organization in the near future.
>>
>> Erik
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-dev-help@lucene.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Brian Chess <br...@fortifysoftware.com>.
Hi Erik, thanks for the intro. I'd be happy to set up an account for anyone
involved with the projects who'd like to take a look. (Because we're
checking for security problems, we don't share specific findings with the
general public.)
Erik is right, from Lucene, Nutch, and Solr, the most important things we
found were the cross-site scripting bugs in Solr. There are a few more bugs
that I think are worth looking at, but nothing to get worked up about.
Brian
> From: Erik Hatcher <er...@ehatchersolutions.com>
> Date: Thu, 14 Dec 2006 23:43:33 -0500
> To: <ja...@lucene.apache.org>
> Cc: Brian Chess <br...@fortifysoftware.com>, Gary McGraw <ge...@cigital.com>
> Subject: Re: Lucene code review
>
>
> On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
>> Just spotted this on Slashdot: http://
>> opensource.fortifysoftware.com/welcome.html
>> I wonder what the 3 defects they found and reviewed are... I don't
>> see a way to see them from their site.
>
> I had an early peek at the Fortify analysis of several open source
> projects, primarily Lucene, Nutch, and Solr. Lucene and Nutch both
> had very minor cosmetic issues (don't recall off the top of my head
> what they were). Solr had cross-site scripting issues in its JSP
> pages, which I think are now all fixed (?).
>
> Brian Chess at Fortify was instrumental in the analysis and is eager
> to work with open source communities closely to have these types of
> analyses automated and useful to the projects. I'm sure we'll hear
> more from his organization in the near future.
>
> Erik
>
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Erik Hatcher <er...@ehatchersolutions.com>.
On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
> Just spotted this on Slashdot: http://
> opensource.fortifysoftware.com/welcome.html
> I wonder what the 3 defects they found and reviewed are... I don't
> see a way to see them from their site.
I had an early peek at the Fortify analysis of several open source
projects, primarily Lucene, Nutch, and Solr. Lucene and Nutch both
had very minor cosmetic issues (don't recall off the top of my head
what they were). Solr had cross-site scripting issues in its JSP
pages, which I think are now all fixed (?).
Brian Chess at Fortify was instrumental in the analysis and is eager
to work with open source communities closely to have these types of
analyses automated and useful to the projects. I'm sure we'll hear
more from his organization in the near future.
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org
Re: Lucene code review
Posted by Lukas Vlcek <lu...@gmail.com>.
Hi,
Indeed, I am very impressed by the fact that both the Nutch and Lucene
scored best of all considered project in the survey.
Congratulations to the community!
Lukas
On 12/13/06, Otis Gospodnetic <ot...@yahoo.com> wrote:
>
> Just spotted this on Slashdot:
> http://opensource.fortifysoftware.com/welcome.html
> I wonder what the 3 defects they found and reviewed are... I don't see a
> way to see them from their site.
>
> Otis
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-dev-help@lucene.apache.org
>
>