lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mordo, Aviran (EXP N-NANNATEK)" <aviran.mo...@lmco.com>
Subject RE: Lucene code injection?
Date Thu, 24 May 2007 13:03:41 GMT
This sounds good. As for the code injection it is up to you to sanitize
the request before it goes to lucene, probably by filling the email
field yourself and not rely on the user input for the email address.

HTH

Aviran
http://www.aviransplace.com
http://shaveh.co.il 

-----Original Message-----
From: Joe [mailto:fischauto333@yahoo.de] 
Sent: Thursday, May 24, 2007 8:35 AM
To: java-user@lucene.apache.org
Subject: Lucene code injection?

Hi,

I indexed emails. And now i want to restrict the search functionality
for users so they only can search for emails to/from him.

i know the email address of the user so my plan is to do it in the
following
way:
The user enters some search parameters, they are combined in a query.
This is a mix of TermQueries and WildcardQueries combined with
BooleanQueries.

This query i will combine with a TermQuery which include only hits with
the email address of the user. (parameter-query) AND
(emailaddress-query)

Is this good practice?
And is this save?
Or can a user do some kind of code injection to get other emails?

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


Mime
View raw message