You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "David Smiley (Jira)" <ji...@apache.org> on 2022/09/06 06:00:00 UTC

[jira] [Commented] (SOLR-16296) Load elevate.xml in a more secure way

    [ https://issues.apache.org/jira/browse/SOLR-16296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600595#comment-17600595 ] 

David Smiley commented on SOLR-16296:
-------------------------------------

There were some twists and turns here (discussed in GitHub) -- key take-away is that elevate.xml is already loaded securely, and so the premise of this JIRA issue is false (oops).  That said, there are some small beneficial refactorings that can be done.  RE QueryElevationComponent, [~noblepaul] recently filed SOLR-16369 which just so happens to be one of the changes.

> Load elevate.xml in a more secure way
> -------------------------------------
>
>                 Key: SOLR-16296
>                 URL: https://issues.apache.org/jira/browse/SOLR-16296
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Haythem Khiri
>            Assignee: David Smiley
>            Priority: Minor
>          Time Spent: 5.5h
>  Remaining Estimate: 0h
>
> Solr should ensure that most XML files in a ConfigSet should be loaded in an untrusted way for security. XML files can have custom DTDs and Xinclude for ConfigSets provided externally.
> This is not about changing how solrconfig.xml and schema.xml is being loaded.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org