On Thursday 21 December 2006 10:56, Deepan wrote:
> I am bothered about security problems with lucene. Is it vulnerable to
> any kind of injection like mysql injection? many times the query from
> user is passed to lucene for search without validating.
This is only an issue if your index has permission information and you
modify the user's query so that only parts of the index are visible to
him. For example, if you add "+permission:user" to the query the user
might add something like "OR permission:admin" to get access to more
documents. This is also why you should add new parts to the query
programmatically (BooleanQuery) to avoid the use of QueryParser.
Regards
Daniel
--
http://www.danielnaber.de
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org
|