[jira] [Comment Edited] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references

Fri, 13 Jul 2018 06:45:05 -0700 


    [ 
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543201#comment-16543201
 ] 

Andrejs Aleksejevs edited comment on LUCENE-8291 at 7/13/18 1:44 PM:
---------------------------------------------------------------------

I have used this construction to load database configurations, now I got an 
error.

What's the best way to load configurations for each core in solrconfig.xml?

 

{\{<xi:include href="file:///var/lib/solr/conf/database.dih.prod.cr.xml" 
xmlns:xi="http://www.w3.org/2001/XInclude";> }}

{\{<xi:fallback> }}

{{     <}}{\{xi:include 
href="file:///var/lib/solr/conf/database.dih.dev.cr.xml" /> }}

{{</xi:fallback>}}

{\{ </xi:include>}}

 

*database.dih.dev.cr.xml*

{{<requestHandler name="/dataimport" 
class="org.apache.solr.handler.dataimport.DataImportHandler"> <lst 
name="defaults"> <str name="config">data-config.xml</str> <lst 
name="datasource"> <str name="driver">org.mariadb.jdbc.Driver</str> <str 
name="url">jdbc:mysql://localhost:3306database_name</str> <str 
name="user">userName</str> <str name="password">password</str> </lst> </lst> 
</requestHandler>}}


was (Author: oyeme):
I have used this construction to load database configurations, now I got an 
error.

What's the best way to load configurations for each core in solrconfig.xml?

 

{{<xi:include href="file:///var/lib/solr/conf/database.dih.prod.cr.xml" 
xmlns:xi="http://www.w3.org/2001/XInclude";> }}

{{<xi:fallback> }}

{{     <}}{{xi:include href="file:///var/lib/solr/conf/database.dih.dev.cr.xml" 
/> }}

{{</xi:fallback>}}

{{ </xi:include>}}

> Possible security issue when parsing XML documents containing external entity 
> references
> ----------------------------------------------------------------------------------------
>
>                 Key: LUCENE-8291
>                 URL: https://issues.apache.org/jira/browse/LUCENE-8291
>             Project: Lucene - Core
>          Issue Type: Bug
>          Components: modules/queryparser
>    Affects Versions: 7.2.1
>            Reporter: Hendrik Saly
>            Assignee: Uwe Schindler
>            Priority: Major
>             Fix For: 7.4, master (8.0)
>
>         Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in 
> DOMUtils.java line 204 XML is parsed without disabling external entity 
> references (XXE). This is described in 
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are 
> listed here: 
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to