17332 Reporter: godfoder Assignee: fmendez Type: Bug Summary: Supplying a value to an API parameter that is also a SOLR Keyword causes a 500 Error Priority: Major Resolution: Fixed Status: Resolved Created: 2015-02-27 20:51:30.871 Updated: 2015-03-05 00:51:40.484 Resolved: 2015-03-05 00:51:40.459 Description: curl "http://api.gbif.org/v1/occurrence/search?institutionCode=MSU&collectionCode=OR&limit=0 results in:Problem accessing /occurrence/search. Reason:
Server ErrorCaused by:
org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: org.apache.solr.search.SyntaxError: Cannot parse '(collection_code:OR) AND (institution_code:MSU)': Encountered " <OR> "OR "" at line 1, column 17. Also trigger-able from the portal at: http://www.gbif.org/occurrence/search?COLLECTION_CODE=OR I haven't tried, because i don't want to break anything, but i wouldn't be surprised if this was a slightly more benign form of injection attack (since that endpoint should be read only) that could nevertheless leave you open to a DOS risk via specially crafted expensive SOLR queries.]]>
Author: fmendez@gbif.org Created: 2015-03-05 00:51:40.481 Updated: 2015-03-05 00:51:40.481 This issues was addressed with the following commits: https://github.com/gbif/common-search/commit/ba6c852799dd323c11cffd58b50f61bc0e94ed36 https://github.com/gbif/occurrence/commit/20963f2ceae7ee3b7cfb990cbc14e25cd871d913 https://github.com/gbif/checklistbank/commit/eabd961df68e982fe92277f18408d32c60d4b027 https://github.com/gbif/registry/commit/b1d3b8eaf1bfecaaf17595b651392930908267fc