Uwe Schindler commented on LUCENE-8291:

I did not notice, that the whole demo webapplication is now obsolete. So I 
removed it, too. We should just make sure that we have some lucene demo 
available that actually works. But from looking at the code this was more or 
less a template engine, so not really useful for a programmer. It was just a 
nice looking demo.

Maybe we should move the QueryParserTemplate manager to the demoe webapp as a 
private class and just use it from there? If yes, I'd revert [~mkhludnev]'s 
changed and the removal of the webapp / ivy deps.

> Possible security issue when parsing XML documents containing external entity 
> references
> ----------------------------------------------------------------------------------------
>                 Key: LUCENE-8291
>                 URL: https://issues.apache.org/jira/browse/LUCENE-8291
>             Project: Lucene - Core
>          Issue Type: Bug
>          Components: modules/queryparser
>    Affects Versions: 7.2.1
>            Reporter: Hendrik Saly
>            Assignee: Uwe Schindler
>            Priority: Major
>             Fix For: 7.4, master (8.0)
>         Attachments: LUCENE-8291.patch
> It appears that in QueryTemplateManager.java lines 149 and 198 and in 
> DOMUtils.java line 204 XML is parsed without disabling external entity 
> references (XXE). This is described in 
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are 
> listed here: 
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to