lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Chess <>
Subject Re: Lucene code review
Date Fri, 15 Dec 2006 06:42:13 GMT
Hi Erik, thanks for the intro.  I'd be happy to set up an account for anyone
involved with the projects who'd like to take a look.  (Because we're
checking for security problems, we don't share specific findings with the
general public.)

Erik is right, from Lucene, Nutch, and Solr, the most important things we
found were the cross-site scripting bugs in Solr.  There are a few more bugs
that I think are worth looking at, but nothing to get worked up about.


> From: Erik Hatcher <>
> Date: Thu, 14 Dec 2006 23:43:33 -0500
> To: <>
> Cc: Brian Chess <>, Gary McGraw <>
> Subject: Re: Lucene code review
> On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
>> Just spotted this on Slashdot:  http://
>> I wonder what the 3 defects they found and reviewed are... I don't
>> see a way to see them from their site.
> I had an early peek at the Fortify analysis of several open source
> projects, primarily Lucene, Nutch, and Solr.  Lucene and Nutch both
> had very minor cosmetic issues (don't recall off the top of my head
> what they were).  Solr had cross-site scripting issues in its JSP
> pages, which I think are now all fixed (?).
> Brian Chess at Fortify was instrumental in the analysis and is eager
> to work with open source communities closely to have these types of
> analyses automated and useful to the projects.  I'm sure we'll hear
> more from his organization in the near future.
> Erik

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message