[
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16465102#comment-16465102
]
Uwe Schindler edited comment on LUCENE-8291 at 5/6/18 12:16 PM:
----------------------------------------------------------------
We will remove this class as it is not really used in Lucene and Solr, it's
just a convenience class.
In fact it's not really a security issue, because it is just a way for an
application to use template XML files for the XML query parser where properties
can be replaced. The XML file is not intended to be loaded from untrusted
sources. Anybody doing this has misunderstood the whole class anyways and will
fail to use it. So this looks like just an issue reported by some automated
code safety testing tool.
For the template manager the use case is: You have an XML/XSL file as a query
template in your resources folder and you use properties to replace the
property placeholders in the XML before passing to XML query parser. If used
correctly there is never any external possibility to inject XML. So there is no
need to fix this.
Nevertheless, as the above functionality can be done outside of Lucene easily,
let's remove this class. Its mostly untested and not used in the wild (github
search).
was (Author: thetaphi):
We will remove this class as it is not really used in Lucene and Solr, it's
just a convenience class.
In fact it's not really a security issue, because it is just a way for an
application to use template XML files for the XML query parser where properties
can be replaced. The XML file is not intended to be loaded from untrusted
sources. Anybody doing this has misunderstood the whole class anyways and will
fail to use it anyways. So this looks like just an issue reported by some
automated code safety testing tool.
For the template manager the use case is: You have an XML/XSL file as a query
template in your resources folder and you use properties to replace the
property placeholders in the XML before passing to XML query parser. If used
correctly there is never any external possibility to inject XML. So there is no
need to fix this.
Nevertheless, as the above functionality can be done outside of Lucene easily,
let's remove this class. Its mostly untested and not used in the wild (github
search).
> Possible security issue when parsing XML documents containing external entity
> references
> ----------------------------------------------------------------------------------------
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
> Affects Versions: 7.2.1
> Reporter: Hendrik Saly
> Assignee: Uwe Schindler
> Priority: Critical
> Labels: security
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in
> DOMUtils.java line 204 XML is parsed without disabling external entity
> references (XXE). This is described in
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are
> listed here:
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related.
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
