[jira] Commented: (SOLR-1656) XInclude's are resolved relative CWD, not instance dir

Thu, 24 Feb 2011 16:02:04 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12999139#comment-12999139
 ] 

Uwe Schindler commented on SOLR-1656:
-------------------------------------

After thinking a little bit about it, I found out that supporting XInclude at 
all for InputStream-only resources is broken and also a security leak and 
should be switched off:
With my patch all SolrConfigs/SolrSchemas are correctly loaded using 
InputSource. But the Config base class is also used e.g. for parsing some 
requests where the XML comes from network as InputStream only. Supporting 
xinclude here is broken, as this network stream has no systemId, so I would 
simply disable xinclude and the EntityResolver if Config class only gets an 
InputStream instead of InputSource. Also it should not be possible to load 
arbitrary files from the filesystem referenced by a xml file in a network 
stream (this is somehow a security leak).
After making the whole thing separate for InputSource and InputStreanm, it 
could also easily be made backwards compatible, as the InputStream methods are 
separate and support no xinclude and are not.

> XInclude's are resolved relative CWD, not instance dir
> ------------------------------------------------------
>
>                 Key: SOLR-1656
>                 URL: https://issues.apache.org/jira/browse/SOLR-1656
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Hoss Man
>         Attachments: SOLR-1656-mockup.patch, 
> SOLR-1656_Support_SAX_SystemId_via_wrapping_InputStream.patch, 
> Support_SAX_SystemId_via_wrapping_InputStream.patch
>
>
> As noted on the mailing list, when an XInclude in a config files refrences a 
> relative path, it's resolved relative the CWD of the servlet container, and 
> not the instanceDir of the core...
>  
> http://old.nabble.com/using-Xinclude-with-multi-core-to26548400.html#a26548400

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to