[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16568354#comment-16568354 ] Andrejs Aleksejevs commented on LUCENE-8291: Hi, [~thetaphi] thanks for the comment. Will try to use it. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16543763#comment-16543763 ] Uwe Schindler commented on LUCENE-8291: --- Hi [~Oyeme], I think your are in the wrong issue. This is talking about something completely different. But to answer your question about DIH: You can still do this - but you cannot use absolute paths anymore. All xincludes must use relative (!) paths that don't escape the Solr home directory. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16543201#comment-16543201
]
Andrejs Aleksejevs commented on LUCENE-8291:
I have used this construction to load database configurations, now I got an
error.
What's the best way to load configurations for each core in solrconfig.xml?
{{http://www.w3.org/2001/XInclude;> }}
{{ }}
{{ <}}{{xi:include href="file:///var/lib/solr/conf/database.dih.dev.cr.xml"
/> }}
{{}}
{{ }}
> Possible security issue when parsing XML documents containing external entity
> references
>
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
>Affects Versions: 7.2.1
>Reporter: Hendrik Saly
>Assignee: Uwe Schindler
>Priority: Major
> Fix For: 7.4, master (8.0)
>
> Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in
> DOMUtils.java line 204 XML is parsed without disabling external entity
> references (XXE). This is described in
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are
> listed here:
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524766#comment-16524766 ] Uwe Schindler commented on LUCENE-8291: --- I think so. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: master (8.0), 7.5 > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524762#comment-16524762 ] Adrien Grand commented on LUCENE-8291: -- [~thetaphi] Can this issue be closed now? > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476966#comment-16476966 ] ASF subversion and git services commented on LUCENE-8291: - Commit c6b8d334f084a4573fb9e644b05d7e0e0091ef4c in lucene-solr's branch refs/heads/branch_7x from [~thetaphi] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=c6b8d33 ] LUCENE-8291: Remove untested/unmaintained demo webapp > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476964#comment-16476964 ] ASF subversion and git services commented on LUCENE-8291: - Commit 3a73d4b2d60af89b1b88dcf2e484d73927a46bb1 in lucene-solr's branch refs/heads/master from [~thetaphi] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=3a73d4b ] LUCENE-8291: Remove untested/unmaintained demo webapp > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476959#comment-16476959 ] Uwe Schindler commented on LUCENE-8291: --- This patch removes remaining obsolete stuff (demo webapp, which is not even tested!): [^LUCENE-8291-2.patch] > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476944#comment-16476944 ] Uwe Schindler commented on LUCENE-8291: --- I did not notice, that the whole demo webapplication is now obsolete. So I removed it, too. We should just make sure that we have some lucene demo available that actually works. But from looking at the code this was more or less a template engine, so not really useful for a programmer. It was just a nice looking demo. Maybe we should move the QueryParserTemplate manager to the demoe webapp as a private class and just use it from there? If yes, I'd revert [~mkhludnev]'s changed and the removal of the webapp / ivy deps. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476938#comment-16476938 ] Uwe Schindler commented on LUCENE-8291: --- After looking at the demo module, the servlet api is no longer used there. I'll remove the dependency from ivy.xml. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476931#comment-16476931 ] Uwe Schindler commented on LUCENE-8291: --- [~mkhludnev] fixed this a minute ago: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/09a789f5 (master) and http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/897f6b37 (7.x) > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476893#comment-16476893 ] ASF subversion and git services commented on LUCENE-8291: - Commit 897f6b37eec6aefc90a9981ae99b8be9ea3c17b8 in lucene-solr's branch refs/heads/branch_7x from [~mkhludnev] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=897f6b3 ] LUCENE-8291: Build Fix. Removing Demo Servlet. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476891#comment-16476891 ] ASF subversion and git services commented on LUCENE-8291: - Commit 09a789f535007c907c8dc55f3ae4e4e9ca9c8ee3 in lucene-solr's branch refs/heads/master from [~mkhludnev] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=09a789f ] LUCENE-8291: Build Fix. Removing Demo Servlet. > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476508#comment-16476508 ] ASF subversion and git services commented on LUCENE-8291: - Commit f4fae49f0e6363b38b8898079dd904a364ce332a in lucene-solr's branch refs/heads/branch_7x from [~thetaphi] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=f4fae49 ] LUCENE-8291: Remove QueryTemplateManager utility class from XML queryparser > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16476507#comment-16476507 ] ASF subversion and git services commented on LUCENE-8291: - Commit 11c6a7ad8824f54fdf61d30579ef9689172253e9 in lucene-solr's branch refs/heads/master from [~thetaphi] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=11c6a7a ] LUCENE-8291: Remove QueryTemplateManager utility class from XML queryparser > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Major > Fix For: 7.4, master (8.0) > > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16465106#comment-16465106 ] Uwe Schindler commented on LUCENE-8291: --- Patch removing this class and examples: [^LUCENE-8291.patch] > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Assignee: Uwe Schindler >Priority: Critical > Labels: security > Attachments: LUCENE-8291.patch > > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related. > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16465102#comment-16465102 ] Uwe Schindler commented on LUCENE-8291: --- We will rmeove this class as it is not really used in Lucene and Solr, it's just a convenience class. In fact it's not really a security issue, because it is just a way for an application to use template XML files for the XML query parser where properties can be replaced. The XML file is not intended to be loaded from untrusted sources. Anybody doing this has misunderstood the whole class anyways and will fail to use it anyways. So this looks like just an issue reported by some automated code safety testing tool. For the template manager the use case is: You have an XML/XSL file as a query template in your resources folder and you use properties to replace the property placeholders in the XML before passing to XML query parser. If used correctly there is never any external possibility to inject XML. So there is no need to fix this. Nevertheless, as the above functionality can be done outside of Lucene easily, let's remove this class. Its mostly untested and not used in the wild (github search). > Possible security issue when parsing XML documents containing external entity > references > > > Key: LUCENE-8291 > URL: https://issues.apache.org/jira/browse/LUCENE-8291 > Project: Lucene - Core > Issue Type: Bug > Components: modules/queryparser >Affects Versions: 7.2.1 >Reporter: Hendrik Saly >Priority: Critical > Labels: security > > It appears that in QueryTemplateManager.java lines 149 and 198 and in > DOMUtils.java line 204 XML is parsed without disabling external entity > references (XXE). This is described in > [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are > listed here: > [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet] > [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related. > All recent versions of lucene are affected. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
