[
https://issues.apache.org/jira/browse/SOLR-16296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600595#comment-17600595
]
David Smiley commented on SOLR-16296:
-------------------------------------
There were some twists and turns here (discussed in GitHub) -- key take-away is
that elevate.xml is already loaded securely, and so the premise of this JIRA
issue is false (oops). That said, there are some small beneficial refactorings
that can be done. RE QueryElevationComponent, [~noblepaul] recently filed
SOLR-16369 which just so happens to be one of the changes.
> Load elevate.xml in a more secure way
> -------------------------------------
>
> Key: SOLR-16296
> URL: https://issues.apache.org/jira/browse/SOLR-16296
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Haythem Khiri
> Assignee: David Smiley
> Priority: Minor
> Time Spent: 5.5h
> Remaining Estimate: 0h
>
> Solr should ensure that most XML files in a ConfigSet should be loaded in an
> untrusted way for security. XML files can have custom DTDs and Xinclude for
> ConfigSets provided externally.
> This is not about changing how solrconfig.xml and schema.xml is being loaded.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
