Followup on ColdFusion 9/Solr Post

coldfusion (This post is more than 2 years old.)

Just a very quick follow up to my post yesterday about ColdFusion and Solr. (And by the way - I'm disappointed no one has discovered the security issue with my searchable code. Tsk tsk! :) I ran into issues running Solr when I was testing. Shannon Hicks has posted a nice blog entry on this with Mac-compatible Solr startup scripts:

ColdFusion 9 Solr Startup Scripts for OSX

Thanks Shannon!

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Gary Gilbert posted on 8/22/2009 at 6:45 PM

you mean the cfoutput #form.search# thats open to xss attacks?

It's example code demonstrating slor functionality not on how to protect against xss. Anyone who uses example code in a production environment (e.g. cut and paste coding) deserves what he or she gets.

Perhaps a bit harsh but thats my opinion

Comment 2 by Raymond Camden posted on 8/22/2009 at 6:48 PM

Good one, but not it. The flaw is explicitly related to search. You are the only one who tried, so if you want, I can just spill it. :)

Comment 3 by Gary Gilbert posted on 8/22/2009 at 10:35 PM

Ray, other than you not cleaning your url or form variable in search.cfm I don't see any other security problems. I must be losing my edge.

Comment 4 by Raymond Camden posted on 8/23/2009 at 12:37 AM

You know, I made this too obtuse probably. And overblown. I apologize. Really - the issue was simple. The 'old' app used logic to get PRs with a published date in the past. That logic is not respected in search. It is a classic example really of where a security/business rule in one place gets missed in another.