[
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543201#comment-16543201
]
Andrejs Aleksejevs commented on LUCENE-8291:
--------------------------------------------
I have used this construction to load database configurations, now I got an
error.
What's the best way to load configurations for each core in solrconfig.xml?
{{<xi:include href="file:///var/lib/solr/conf/database.dih.prod.cr.xml"
xmlns:xi="http://www.w3.org/2001/XInclude";> }}
{{<xi:fallback> }}
{{ <}}{{xi:include href="file:///var/lib/solr/conf/database.dih.dev.cr.xml"
/> }}
{{</xi:fallback>}}
{{ </xi:include>}}
> Possible security issue when parsing XML documents containing external entity
> references
> ----------------------------------------------------------------------------------------
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
> Affects Versions: 7.2.1
> Reporter: Hendrik Saly
> Assignee: Uwe Schindler
> Priority: Major
> Fix For: 7.4, master (8.0)
>
> Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in
> DOMUtils.java line 204 XML is parsed without disabling external entity
> references (XXE). This is described in
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are
> listed here:
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
