lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Naber <lucenelist2...@danielnaber.de>
Subject Re: lucene injection
Date Thu, 21 Dec 2006 11:32:01 GMT
On Thursday 21 December 2006 10:56, Deepan wrote:

> I am bothered about security problems with lucene. Is it vulnerable to
> any kind of injection like mysql injection? many times the query from
> user is passed to lucene for search without validating.

This is only an issue if your index has permission information and you 
modify the user's query so that only parts of the index are visible to 
him. For example, if you add "+permission:user" to the query the user 
might add something like "OR permission:admin" to get access to more 
documents. This is also why you should add new parts to the query 
programmatically (BooleanQuery) to avoid the use of QueryParser.

Regards
 Daniel

-- 
http://www.danielnaber.de

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


Mime
View raw message