You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by eh...@apache.org on 2015/11/23 17:07:47 UTC
svn commit: r1715864 - in /lucene/dev/branches/branch_5x: ./ solr/
solr/core/ solr/core/src/java/org/apache/solr/handler/
solr/core/src/java/org/apache/solr/handler/admin/
solr/core/src/java/org/apache/solr/util/
solr/core/src/test/org/apache/solr/hand...
Author: ehatcher
Date: Mon Nov 23 16:07:46 2015
New Revision: 1715864
URL: http://svn.apache.org/viewvc?rev=1715864&view=rev
Log:
Fix XXE vulnerability in MBeansHandler diff feature (merged from trunk r1715863)
Added:
lucene/dev/branches/branch_5x/solr/solrj/src/java/org/apache/solr/util/
- copied from r1715863, lucene/dev/trunk/solr/solrj/src/java/org/apache/solr/util/
Removed:
lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/util/EmptyEntityResolver.java
Modified:
lucene/dev/branches/branch_5x/ (props changed)
lucene/dev/branches/branch_5x/solr/ (props changed)
lucene/dev/branches/branch_5x/solr/CHANGES.txt (contents, props changed)
lucene/dev/branches/branch_5x/solr/core/ (props changed)
lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java
lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java
lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java
lucene/dev/branches/branch_5x/solr/solrj/ (props changed)
lucene/dev/branches/branch_5x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java
Modified: lucene/dev/branches/branch_5x/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/CHANGES.txt?rev=1715864&r1=1715863&r2=1715864&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/CHANGES.txt (original)
+++ lucene/dev/branches/branch_5x/solr/CHANGES.txt Mon Nov 23 16:07:46 2015
@@ -255,6 +255,8 @@ Bug Fixes
* SOLR-5971: Fix error 'Illegal character in query' when proxying request.
(Uwe Schindler, Ishan Chattopadhyaya, Eric Bus)
+* SOLR-8307: Fix XXE vulnerability in MBeansHandler "diff" feature (Erik Hatcher)
+
Optimizations
----------------------
Modified: lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java?rev=1715864&r1=1715863&r2=1715864&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java Mon Nov 23 16:07:46 2015
@@ -105,7 +105,7 @@ public class DocumentAnalysisRequestHand
inputFactory.setProperty("reuse-instance", Boolean.FALSE);
} catch (IllegalArgumentException ex) {
// Other implementations will likely throw this exception since "reuse-instance"
- // isimplementation specific.
+ // is implementation specific.
log.debug("Unable to set the 'reuse-instance' property for the input factory: " + inputFactory);
}
}
Modified: lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java?rev=1715864&r1=1715863&r2=1715864&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java Mon Nov 23 16:07:46 2015
@@ -106,7 +106,7 @@ public class SolrInfoMBeanHandler extend
try {
XMLResponseParser parser = new XMLResponseParser();
return (NamedList<NamedList<NamedList<Object>>>)
- parser.processResponse(new StringReader(content.substring(idx))).get("solr-mbeans");
+ parser.processResponse(new StringReader(content)).get("solr-mbeans");
}
catch(Exception ex) {
throw new SolrException(ErrorCode.BAD_REQUEST, "Unable to read original XML", ex);
Modified: lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java?rev=1715864&r1=1715863&r2=1715864&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java Mon Nov 23 16:07:46 2015
@@ -70,4 +70,19 @@ public class MBeansHandlerTest extends S
NamedList<NamedList<NamedList<Object>>> nl = SolrInfoMBeanHandler.fromXML(xml);
assertNotNull( nl.get("QUERYHANDLER").get("org.apache.solr.handler.admin.CollectionsHandler"));
}
+
+ @Test
+ public void testXMLDiffWithExternalEntity() throws Exception {
+ String file = getFile("mailing_lists.pdf").toURI().toASCIIString();
+ String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+ "<!DOCTYPE foo [<!ENTITY bar SYSTEM \""+file+"\">]>\n" +
+ "<response>\n" +
+ "&bar;" +
+ "<lst name=\"responseHeader\"><int name=\"status\">0</int><int name=\"QTime\">31</int></lst><lst name=\"solr-mbeans\"></lst>\n" +
+ "</response>";
+
+ NamedList<NamedList<NamedList<Object>>> nl = SolrInfoMBeanHandler.fromXML(xml);
+
+ assertTrue("external entity ignored properly", true);
+ }
}
Modified: lucene/dev/branches/branch_5x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java?rev=1715864&r1=1715863&r2=1715864&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java (original)
+++ lucene/dev/branches/branch_5x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java Mon Nov 23 16:07:46 2015
@@ -25,6 +25,7 @@ import org.apache.solr.common.util.DateU
import org.apache.solr.common.util.NamedList;
import org.apache.solr.common.util.SimpleOrderedMap;
import org.apache.solr.common.util.XMLErrorLogger;
+import org.apache.solr.util.EmptyEntityResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -56,6 +57,8 @@ public class XMLResponseParser extends R
static final XMLInputFactory factory;
static {
factory = XMLInputFactory.newInstance();
+ EmptyEntityResolver.configureXMLInputFactory(factory);
+
try {
// The java 1.6 bundled stax parser (sjsxp) does not currently have a thread-safe
// XMLInputFactory, as that implementation tries to cache and reuse the