You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2018/05/06 12:16:00 UTC
[jira] [Commented] (LUCENE-8291) Possible security issue when
parsing XML documents containing external entity references
[ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16465102#comment-16465102 ]
Uwe Schindler commented on LUCENE-8291:
---------------------------------------
We will rmeove this class as it is not really used in Lucene and Solr, it's just a convenience class.
In fact it's not really a security issue, because it is just a way for an application to use template XML files for the XML query parser where properties can be replaced. The XML file is not intended to be loaded from untrusted sources. Anybody doing this has misunderstood the whole class anyways and will fail to use it anyways. So this looks like just an issue reported by some automated code safety testing tool.
For the template manager the use case is: You have an XML/XSL file as a query template in your resources folder and you use properties to replace the property placeholders in the XML before passing to XML query parser. If used correctly there is never any external possibility to inject XML. So there is no need to fix this.
Nevertheless, as the above functionality can be done outside of Lucene easily, let's remove this class. Its mostly untested and not used in the wild (github search).
> Possible security issue when parsing XML documents containing external entity references
> ----------------------------------------------------------------------------------------
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
> Affects Versions: 7.2.1
> Reporter: Hendrik Saly
> Priority: Critical
> Labels: security
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are listed here: [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related.
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org