lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Damien McCarthy" <damien.mccar...@propylon.com>
Subject RE: Lucene code injection?
Date Thu, 24 May 2007 13:22:46 GMT
Hi Joe,

It would probably be cleaner to use a QueryFilter rather than doing the AND.
Take a look at
http://lucene.apache.org/java/2_0_0/api/org/apache/lucene/search/QueryFilter
.html

Also I'm not sure that using the sent to field will work - people may
receive email from a list, such as this, where their own email does not
appear in that field. They could also have email auto forwarded from another
address.

Anyway hope this helps ....

Damien

-----Original Message-----
From: Joe [mailto:fischauto333@yahoo.de]
Sent: 24 May 2007 14:14
To: java-user@lucene.apache.org
Subject: Re: Lucene code injection?


Hi,
> This sounds good. As for the code injection it is up to you to sanitize
> the request before it goes to lucene, probably by filling the email
> field yourself and not rely on the user input for the email address

I hoped i havent to sanitize the user input cause the email address
query is ANDed by the
application, after the user finished his input.

(user_query) AND (email_query)

So is it possible to produce a user_query which will ignore the ANDed
(email_query)?



---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


Mime
View raw message