Return-Path: Delivered-To: apmail-lucene-solr-user-archive@minotaur.apache.org Received: (qmail 77576 invoked from network); 9 Nov 2009 22:31:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Nov 2009 22:31:32 -0000 Received: (qmail 60613 invoked by uid 500); 9 Nov 2009 22:31:30 -0000 Delivered-To: apmail-lucene-solr-user-archive@lucene.apache.org Received: (qmail 60541 invoked by uid 500); 9 Nov 2009 22:31:30 -0000 Mailing-List: contact solr-user-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: solr-user@lucene.apache.org Delivered-To: mailing list solr-user@lucene.apache.org Received: (qmail 60525 invoked by uid 99); 9 Nov 2009 22:31:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Nov 2009 22:31:30 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [206.190.38.60] (HELO web50306.mail.re2.yahoo.com) (206.190.38.60) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 09 Nov 2009 22:31:26 +0000 Received: (qmail 85979 invoked by uid 60001); 9 Nov 2009 22:31:05 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1257805865; bh=YJ0QeqO7MaBDO/ddwSD3dEEP12BAgN9Pq7sHP+zTOw0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=sSveUOorJxBTQhe0hrelUl5ky3YprRvf6947CGOzj9QFqISvCxKmNeBwdjp9DFdRBaZBkbVGu08gk6ttpQwJ0oqa1SiGGDpM0NE47+kNYVxd5bsPoHmmRbDh+uOfuvf+GeLhSVCNjxoSsi4xTGzrkE7Gs+83XpNbuLi7ug5PLrc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=KF4YnDmK5od4lE65q9qM7HPiVPa3IlOh9L9Y23ZsUJXtj27WdwaROaldd6GznBXBLPp1rQFBb3QWjVu/6RAz4dR1siCIAQbSMunBXQ2O9l6mEy97OS7L/rQdBm+C6qTCQHL9ZQwcL7kwtuPJzyU+TxcNbB7jY3CL0DhNhbEUpNo=; Message-ID: <581886.84260.qm@web50306.mail.re2.yahoo.com> X-YMail-OSG: c_ycgtsVM1lHi7D15gLBhvImhOjRTsAGjq6pw.8FFILPmryOisctFi8UZLCjgCzHcBQ.gD69L4Ol.IvefbyobYYfJ2hx5HLiDBCo78bubYb.NkrRzH9xx3GtuD2PwEDiX1g8OepZ6GhWKJd9y64nr7gAt.514QlA9Za18SUHQ4HaD8RI80.06aCqJOCW6cZTHbE_V36VGxL8j1YRtLKn8Rct3n8u8VaA.RRazl55BWpyHqm_9diA8v8MESw1_CPoJkTL2FTuDd5UFMmchHn9SRzpOUokb415jrn0fcw4puetFaVdrD2B85Mus3ANDDG8L5j0T2g8kp7C7G8XXRNf9OpfFu1T.ww2ZrXF2PuvlRjuA_f.kcURxlDhM8bQSfGfKAsEaLCL2Ue_Kn7Fwt4whVJMhiSb3lLFov_ar0OMFQ1lakzucGXrMfttzrF8Z2KfHKg8zKr3JjKxAVxsoiVX7FsebKPZ6vluwrCW8tLES0fyxGdRfkS.l2bpZ8e0Ss_ydesjcyl1h60Psra.3cy3Eg7amSUpA058kjAb37b9K0CQyt6TJ8yGOEGd4kDtmcCpY2Z0YDvXui0Z_RSKsaUTpc78ChRyTLLgdvDSj7yZLfxupXofyRZJo_.thKyOpPahQ1YOSP55dmfNbot.prtxhWMEgCMaMice583KvnJXA4itykUis1Oo6kTe6pr_b_byxfpUc5d71MR6r0NBupjV.mvz9B.I_6qbegmnkTpx8ToqAD_FNq6bm1L08HzsWdH5FK.POwbsF7gMBP9OdUVTyn_ZykBB7TvcN8lrHG92A0eQwwAcDFxBUhlKSBPlj0e0CVUqtjaZwu4ry5qnR2NHmldt_kcvWGv_cwh9TjmxXkRElurrur_iKHzWZehHBGBl8NNV3cMnDCyi940yKYzzPKLDugihXVaZt4W4qHbXFJLCqxg6zmequ7esCT.kKfLj4PsqAs4ChsP.I7oMd IQIqxsYFzLvT3lxPLI4Ee_Obf39tzpEiGPBCNqlwBJOb_6tfQWxybwhe_l_O.sCujty_yDneswP0n4yyB40F6135ImddUV7CZ2KMd.QE5QAu1YNHUqDMuIp Received: from [167.206.188.3] by web50306.mail.re2.yahoo.com via HTTP; Mon, 09 Nov 2009 14:31:05 PST X-Mailer: YahooMailRC/211.6 YahooMailWebService/0.7.361.4 References: <4971E79C.6040300@drun.net> <26271891.post@talk.nabble.com> <3e8ef54f0911091348h5708d2a6o7db15d95720694b8@mail.gmail.com> <26274459.post@talk.nabble.com> <3e8ef54f0911091423m25b406abl92741b0575078214@mail.gmail.com> Date: Mon, 9 Nov 2009 14:31:05 -0800 (PST) From: Otis Gospodnetic Subject: Re: sanizing/filtering query string for security To: solr-user@lucene.apache.org In-Reply-To: <3e8ef54f0911091423m25b406abl92741b0575078214@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Word of warning: Careful with q.alt=*:* if you are dealing with large indices! :) Otis -- Sematext is hiring -- http://sematext.com/about/jobs.html?mls Lucene, Solr, Nutch, Katta, Hadoop, HBase, UIMA, NLP, NER, IR ----- Original Message ---- > From: Alexey Serba > To: solr-user@lucene.apache.org > Sent: Mon, November 9, 2009 5:23:52 PM > Subject: Re: sanizing/filtering query string for security > > > BTW, I have not used DisMax handler yet, but does it handle *:* properly? > See q.alt DisMax parameter > http://wiki.apache.org/solr/DisMaxRequestHandler#q.alt > > You can specify q.alt=*:* and q as empty string to get all results. > > > do you care if users issue this query > I allow users to issue an empty search and get all results with all > facets / etc. It's a nice navigation UI btw. > > > Basically given my UI, I'm trying to *hide* the total count from users > searching for *everything* > If you don't specify q.alt parameter then Solr returns zero results > for empty search. *:* won't work either. > > > though this syntax has helped me debug/monitor the state of my search doc pool > size. > see q.alt > > Alex > > On Tue, Nov 10, 2009 at 12:59 AM, michael8 wrote: > > > > Sounds like a nice approach you have done. BTW, I have not used DisMax > > handler yet, but does it handle *:* properly? IOW, do you care if users > > issue this query, or does DisMax treat this query string differently than > > standard request handler? Basically given my UI, I'm trying to *hide* the > > total count from users searching for *everything*, though this syntax has > > helped me debug/monitor the state of my search doc pool size. > > > > Thanks, > > Michael > > > > > > Alexey-34 wrote: > >> > >> I added some kind of pre and post processing of Solr results for this, > >> i.e. > >> > >> If I find fieldname specified in query string in form of > >> "fieldname:term" then I pass this query string to standard request > >> handler, otherwise use DisMaxRequestHandler ( DisMaxRequestHandler > >> doesn't break the query, at least I haven't seen yet ). If standard > >> request handler throws error ( invalid field, too many clauses, etc ) > >> then I pass original query to DisMax request handler. > >> > >> Alex > >> > >> On Mon, Nov 9, 2009 at 10:05 PM, michael8 wrote: > >>> > >>> Hi Julian, > >>> > >>> Saw you post on exactly the question I have. I'm curious if you got any > >>> response directly, or figured out a way to do this by now that you could > >>> share? I'm in the same situation trying to 'sanitize' the query string > >>> coming in before handing it to solr. I do see that characters like ":" > >>> could break the query, but am curious if anyone has come up with a > >>> general > >>> solution as I think this must be a fairly common problem for any solr > >>> deployment to tackle. > >>> > >>> Thanks, > >>> Michael > >>> > >>> > >>> Julian Davchev wrote: > >>>> > >>>> Hi, > >>>> Is there anything special that can be done for sanitizing user input > >>>> before passed as query to solr. > >>>> Not allowing * and ? as first char is only thing I can thing of right > >>>> now. Anything else it should somehow handle. > >>>> > >>>> I am not able to find any relevant document. > >>>> > >>>> > >>> > >>> -- > >>> View this message in context: > >>> > http://old.nabble.com/sanizing-filtering-query-string-for-security-tp21516844p26271891.html > >>> Sent from the Solr - User mailing list archive at Nabble.com. > >>> > >>> > >> > >> > > > > -- > > View this message in context: > http://old.nabble.com/sanizing-filtering-query-string-for-security-tp21516844p26274459.html > > Sent from the Solr - User mailing list archive at Nabble.com. > > > >