[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011065#comment-15011065 ]
Uwe Schindler commented on SOLR-8307: ------------------------------------- Hi, it should use the code pattern as Erik told. Disabling DTDs completly is not a good idea. In general all XML parsing of resources coming from network should follow the same pattern. The EmptyEntityResolver has methods for *all* types of XML parsers to disable external entities, so use it's methods to configure. Grep on EmptyEntityResolver and you will see that all of the above listed parsers are fine (unless somebody broke them again). _Please note:_ This only affects XML coming from the network. Please don't disable xinclude or external entities in Solr's config files. Those should not be accessible through internet anyways, if they are you have bigger problems. It is a officially documented feature that you can ue xinclude and external entities to split your solr config files (I generally place the field types and fields each in a separate XML file and include them into the schema). > XXE Vulnerability > ----------------- > > Key: SOLR-8307 > URL: https://issues.apache.org/jira/browse/SOLR-8307 > Project: Solr > Issue Type: Bug > Components: UI > Affects Versions: 5.3 > Reporter: Adam Johnson > Attachments: SOLR-8307.patch > > > Use the drop-down in the left menu to select a core. Use the “Watch Changes” > feature under the “Plugins / Stats” option. When submitting the changes, XML > is passed in the “stream.body” parameter and is vulnerable to XXE. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org