I dug deeper and discovered that teh exception message is being added to the HTTP response line by SolrDIspatchFilter. So there is where the fix should be made. I will open a Jira and attach a patch.
Bill On Fri, Nov 20, 2009 at 5:34 PM, Bill Au <[email protected]> wrote: > I just noticed that the message of Lucene's ParseException contains the > user's input that Lucene is failing to parse. The user input is not > sanitize in any way. My appserver is showing the exception message in both > the body and the HTTP status line of the response. So even if I set up > custom error pages the user input are still being send un-sanitized in the > response. I don't know if this is the behavior of other appserver or not. > I don't think I can sanitize the user input before sending it to Solr/Lucene > since the content of my index contains special characters. > > I am thinking that we can change the behavior of QueryComponent. Since > Solr is a webapp, I don't think it is unreasonable to have Solr be > responsible for sanitizing exception messages. This is the current > QueryComponent code: > > } catch (ParseException e) { > throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, e); > } > > Instead of wrapping the ParseException in the SolrException, we can simply > sanitize the message of the ParseException and use that to create the > SolrException. > I can submit a patch for this. > > Any comments/suggestions? > > Bill >
