lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stone, Timothy" <tst...@cityofhbg.com>
Subject Security question with demo... feedback sought.
Date Thu, 14 Nov 2002 13:59:39 GMT
List,

Bear with me as I recount my learning process. My questions follow:

I have deployed the demo successfully, with some edits for results display and the like (really
superficial in nature overall). One thing I did do was display the query back to the user
in the result page. In doing so, I introduced a possibly security hole. This stems from something
I noticed about the demo: it has no real input validation to speak of. Hey, it's a demo, I'm
not pointing fingers. Input validation is the implementors responsibility, and I have accepted
that responsibility.

My problem can be seen in the following examples. I entered a simple query:

<script>alert("test")</script>

The results returned alright... after displaying a javascript alert. This of course could
be a bridge for more sophisticated cross-site scripting attacks. The following query *DID
NOT WORK*:

<script>alert(document.cookie)</script>

Typing the same thing in the location bar using the javascript pseudo protocol *DOES WORK*:

javascript:alert(document.cookie)

Why the former cookie alert worked and the latter did not is possibly a built in security
feature of Tomcat, I'm not sure (feedback sought here).

My first pass at solving the problem was to filter the query for display using the static
Entities.encode() method provided with the demo. This seems to have fixed the alert in the
results page, the query is properly displayed as clear text, like a PRE element might display
it.

1. If anyone can provide some feedback on this solution I would appreciate it. Examples of
other modifications to the demo to beef up input validation are sought too. (I have considered
writing a character replacement method for the queries, but I think this could impact performance.)

Another question, somewhat unrelated, is given a query:

<script>alert("test")</script>

Results are returned matching the quoted portion, in this example "test". 

2. Can someone more familiar with the Lucene engine elaborate on why this works?

Thanks!
Tim

--
To unsubscribe, e-mail:   <mailto:lucene-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:lucene-user-help@jakarta.apache.org>


Mime
View raw message