[jira] [Commented] (SOLR-3895) For several reasons, disabling the resolving of external entities within the Solr UpdateRequestHandler for XML would be good.

Uwe Schindler (JIRA) Wed, 26 Sep 2012 01:50:18 -0700

    [ 
https://issues.apache.org/jira/browse/SOLR-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13463630#comment-13463630
 ]


Uwe Schindler commented on SOLR-3895:
-------------------------------------

Hi Martin,
thanks for your report after our communication about this before. I agree, it 
would be a good idea to not allow external entities (those can be e.g., 
references to external DTDs - but we never check XML validity according to a 
DTD) and also other external entities like &foobar; introduced by those DTDs 
should not be loaded:

- Lot's of XML files come with a DTD declaration (like XHTML document or 
similar things). If you would pass those XML documents through the update 
handler (with e.g. XSL transforming to Solr XML), those DTDs would be resolved 
and loaded by the xml parser - with no use for Solr.
- All documents passed to XMLRequestHandler should be self-complete, means no 
includes or similar things. xinclude is not enabled for XML-updates, so 
external entities should also be ignored.
                
> For several reasons, disabling the resolving of external entities within the 
> Solr UpdateRequestHandler for XML would be good.
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-3895
>                 URL: https://issues.apache.org/jira/browse/SOLR-3895
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Martin Herfurt
>            Assignee: Uwe Schindler
>            Priority: Minor
>
> The Solr UpdateRequestHandler for XML currently resolves so-called XML 
> External Entities. Not resolving XML External Entities would - among other 
> things - improve Solr's update performance.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (SOLR-3895) For several reasons, disabling the resolving of external entities within the Solr UpdateRequestHandler for XML would be good.

Reply via email to