[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15024608#comment-15024608 ] Erik Hatcher commented on SOLR-8307: [~thetaphi] - what do you think about the public

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15024649#comment-15024649 ] Uwe Schindler commented on SOLR-8307: - I am fine with that. I don't think we need backwards

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15024669#comment-15024669 ] Erik Hatcher commented on SOLR-8307: Thanks [~thetaphi]. Documented in CHANGES and committed. > XXE

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15023548#comment-15023548 ] ASF subversion and git services commented on SOLR-8307: --- Commit 1716008 from

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15023546#comment-15023546 ] ASF subversion and git services commented on SOLR-8307: --- Commit 1716007 from

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15023554#comment-15023554 ] Erik Hatcher commented on SOLR-8307: [~hossman_luc...@fucit.org] - should be fixed now. I moved

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15022382#comment-15022382 ] Erik Hatcher commented on SOLR-8307: Forgot to mention JIRA ticket on commit message. Committed: *

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011180#comment-15011180 ] Erik Hatcher commented on SOLR-8307: [~thetaphi] looks like the diff feature of the admin UI sends XML

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011225#comment-15011225 ] Uwe Schindler commented on SOLR-8307: - OK. So a misuse of response parser. This is why it is a Problem.

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011174#comment-15011174 ] Shawn Heisey commented on SOLR-8307: bq. The patch attached here just modifies SolrJ. How is this

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011185#comment-15011185 ] Shawn Heisey commented on SOLR-8307: Thank you for taking a look and rescuing me from my lack of

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011084#comment-15011084 ] Uwe Schindler commented on SOLR-8307: - I checked the code: Where is the XXE risk. The stream.body is

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011010#comment-15011010 ] Erik Hatcher commented on SOLR-8307: At a quick glance, it looks like XMLResponseParser ought to

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011071#comment-15011071 ] Uwe Schindler commented on SOLR-8307: - The patch attached here just modifies SolrJ. How is this related

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15011065#comment-15011065 ] Uwe Schindler commented on SOLR-8307: - Hi, it should use the code pattern as Erik told. Disabling DTDs

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15012731#comment-15012731 ] Erik Hatcher commented on SOLR-8307: Solr's "ant test" passed locally. I'll commit to trunk and

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15012705#comment-15012705 ] Erik Hatcher commented on SOLR-8307: Addressing [~elyograg]'s list above: *

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15010014#comment-15010014 ] Shawn Heisey commented on SOLR-8307: I'm wondering whether my patch might disable xinclude in Solr's

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15010122#comment-15010122 ] Shawn Heisey commented on SOLR-8307: I patched the 5.3.2 snapshot I'm trying out, and my solr install

[jira] [Commented] (SOLR-8307) XXE Vulnerability

[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15010210#comment-15010210 ] Shawn Heisey commented on SOLR-8307: I found more instances of XMLInputFactory in the codebase. Here