lucene-solr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hoss Man (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SOLR-1594) SolrDispatchFilter needs to sanitize exception message
Date Mon, 23 Nov 2009 18:39:41 GMT

    [ https://issues.apache.org/jira/browse/SOLR-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781530#action_12781530
] 

Hoss Man commented on SOLR-1594:
--------------------------------



bq. So should we leave it up to the appserver to do the right thing or should Solr be more
proactive?

As long as we're relying on the default error page of the servlet container, we shouldnt'
attempt to modify the messages in anyway, becaus that will just screw things up for servlet
containers that do the correct behavior.  if there is an XSS risk, it's caused by the servlet
container, and that's where it should be fixed.

i don't mind putting in work arrounds for specific servlet containers when it doesn't affect
anybody else, but double escaping would defiitely cause problems for people who have good
default error pages in their servlet containers (or who customize the solr webapp to add their
own error page)

we should focus our efforts on something like SOLR-141 instead of trying to apply html specific
sanitizing.

> SolrDispatchFilter needs to sanitize exception message
> ------------------------------------------------------
>
>                 Key: SOLR-1594
>                 URL: https://issues.apache.org/jira/browse/SOLR-1594
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Bill Au
>            Assignee: Bill Au
>             Fix For: 1.5
>
>         Attachments: solr-1594.patch
>
>
> SolrDispatchFIlter needs to sanitize exception messages before using them in the response.
 I will attach a patch shortly.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message