[
https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011065#comment-15011065
]
Uwe Schindler commented on SOLR-8307:
-------------------------------------
Hi,
it should use the code pattern as Erik told. Disabling DTDs completly is not a
good idea.
In general all XML parsing of resources coming from network should follow the
same pattern. The EmptyEntityResolver has methods for *all* types of XML
parsers to disable external entities, so use it's methods to configure. Grep on
EmptyEntityResolver and you will see that all of the above listed parsers are
fine (unless somebody broke them again).
_Please note:_ This only affects XML coming from the network. Please don't
disable xinclude or external entities in Solr's config files. Those should not
be accessible through internet anyways, if they are you have bigger problems.
It is a officially documented feature that you can ue xinclude and external
entities to split your solr config files (I generally place the field types and
fields each in a separate XML file and include them into the schema).
> XXE Vulnerability
> -----------------
>
> Key: SOLR-8307
> URL: https://issues.apache.org/jira/browse/SOLR-8307
> Project: Solr
> Issue Type: Bug
> Components: UI
> Affects Versions: 5.3
> Reporter: Adam Johnson
> Attachments: SOLR-8307.patch
>
>
> Use the drop-down in the left menu to select a core. Use the “Watch Changes”
> feature under the “Plugins / Stats” option. When submitting the changes, XML
> is passed in the “stream.body” parameter and is vulnerable to XXE.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
