You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2015/11/18 15:32:11 UTC
[jira] [Comment Edited] (SOLR-8307) XXE Vulnerability
[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011084#comment-15011084 ]
Uwe Schindler edited comment on SOLR-8307 at 11/18/15 2:31 PM:
---------------------------------------------------------------
I checked the code: Where is the XXE risk? The stream.body is going through a safe parser. So do you have a testcase? How did you find out that there is an XXE issue? I spent a whole week 2 years ago on fixing all this problems, so how could they reappear? There are also tests that check to prevent XXE at some places!
The attached patch only fixes SolrJ, but this is not really a security issue, because it is used to connect to Solr and not arbitrary web sites.
was (Author: thetaphi):
I checked the code: Where is the XXE risk. The stream.body is going through a safe parser. So do you have a testcase? How did you find out that there is an XXE issue? I spent a whole week on fixing all this problems, so how could they reappear. There are also tests that check to prevent XXE at some places!
The attached patch only fixes SolrJ, but this is not really a security issue, because it is used to connect to Solr and not arbitrary web sites.
> XXE Vulnerability
> -----------------
>
> Key: SOLR-8307
> URL: https://issues.apache.org/jira/browse/SOLR-8307
> Project: Solr
> Issue Type: Bug
> Components: UI
> Affects Versions: 5.3
> Reporter: Adam Johnson
> Attachments: SOLR-8307.patch
>
>
> Use the drop-down in the left menu to select a core. Use the “Watch Changes” feature under the “Plugins / Stats” option. When submitting the changes, XML is passed in the “stream.body” parameter and is vulnerable to XXE.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org