On Thursday 21 December 2006 10:56, Deepan wrote: > I am bothered about security problems with lucene. Is it vulnerable to > any kind of injection like mysql injection? many times the query from > user is passed to lucene for search without validating.
This is only an issue if your index has permission information and you modify the user's query so that only parts of the index are visible to him. For example, if you add "+permission:user" to the query the user might add something like "OR permission:admin" to get access to more documents. This is also why you should add new parts to the query programmatically (BooleanQuery) to avoid the use of QueryParser. Regards Daniel -- http://www.danielnaber.de --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
