[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568354#comment-16568354 ] Andrejs Aleksejevs commented on LUCENE-8291: Hi, [~thetaphi] thanks for the comment. Will try to use it. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16543201#comment-16543201
]
Andrejs Aleksejevs edited comment on LUCENE-8291 at 7/13/18 1:44 PM:
-
I have used this construction to load database configurations, now I got an
error.
What's the best way to load configurations for each core in solrconfig.xml?
{\{http://www.w3.org/2001/XInclude;> }}
{\{ }}
{{ <}}{\{xi:include
href="file:///var/lib/solr/conf/database.dih.dev.cr.xml" /> }}
{{}}
{\{ }}
*database.dih.dev.cr.xml*
{{ data-config.xml org.mariadb.jdbc.Driver jdbc:mysql://localhost:3306database_name userName password
}}
was (Author: oyeme):
I have used this construction to load database configurations, now I got an
error.
What's the best way to load configurations for each core in solrconfig.xml?
{{http://www.w3.org/2001/XInclude;> }}
{{ }}
{{ <}}{{xi:include href="file:///var/lib/solr/conf/database.dih.dev.cr.xml"
/> }}
{{}}
{{ }}
> Possible security issue when parsing XML documents containing external entity
> references
>
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
>Affects Versions: 7.2.1
>Reporter: Hendrik Saly
>Assignee: Uwe Schindler
>Priority: Major
> Fix For: 7.4, master (8.0)
>
> Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in
> DOMUtils.java line 204 XML is parsed without disabling external entity
> references (XXE). This is described in
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are
> listed here:
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16543201#comment-16543201
]
Andrejs Aleksejevs commented on LUCENE-8291:
I have used this construction to load database configurations, now I got an
error.
What's the best way to load configurations for each core in solrconfig.xml?
{{http://www.w3.org/2001/XInclude;> }}
{{ }}
{{ <}}{{xi:include href="file:///var/lib/solr/conf/database.dih.dev.cr.xml"
/> }}
{{}}
{{ }}
> Possible security issue when parsing XML documents containing external entity
> references
>
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
>Affects Versions: 7.2.1
>Reporter: Hendrik Saly
>Assignee: Uwe Schindler
>Priority: Major
> Fix For: 7.4, master (8.0)
>
> Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in
> DOMUtils.java line 204 XML is parsed without disabling external entity
> references (XXE). This is described in
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are
> listed here:
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
