Followup on ColdFusion 9/Solr Post

Just a very quick follow up to my post yesterday about ColdFusion and Solr. (And by the way - I'm disappointed no one has discovered the security issue with my searchable code. Tsk tsk! :) I ran into issues running Solr when I was testing. Shannon Hicks has posted a nice blog entry on this with Mac-compatible Solr startup scripts:

ColdFusion 9 Solr Startup Scripts for OSX

Thanks Shannon!

Archived Comments

Comment 1 by Gary Gilbert posted on 8/22/2009 at 6:45 PM

you mean the cfoutput #form.search# thats open to xss attacks?

It's example code demonstrating slor functionality not on how to protect against xss. Anyone who uses example code in a production environment (e.g. cut and paste coding) deserves what he or she gets.

Perhaps a bit harsh but thats my opinion

Comment 2 by Raymond Camden posted on 8/22/2009 at 6:48 PM

Good one, but not it. The flaw is explicitly related to search. You are the only one who tried, so if you want, I can just spill it. :)

Comment 3 by Gary Gilbert posted on 8/22/2009 at 10:35 PM

Ray, other than you not cleaning your url or form variable in search.cfm I don't see any other security problems. I must be losing my edge.

Comment 4 by Raymond Camden posted on 8/23/2009 at 12:37 AM

You know, I made this too obtuse probably. And overblown. I apologize. Really - the issue was simple. The 'old' app used logic to get PRs with a published date in the past. That logic is not respected in search. It is a classic example really of where a security/business rule in one place gets missed in another.