[
https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011084#comment-15011084
]
Uwe Schindler commented on SOLR-8307:
-------------------------------------
I checked the code: Where is the XXE risk. The stream.body is going through a
safe parser. So do you have a testcase? How did you find out that there is an
XXE issue? I spent a whole week on fixing all this problems, so how could they
reappear. There are also tests that check to prevent XXE at some places!
The attached patch only fixes SolrJ, but this is not really a security issue,
because it is used to connect to Solr and not arbitrary web sites.
> XXE Vulnerability
> -----------------
>
> Key: SOLR-8307
> URL: https://issues.apache.org/jira/browse/SOLR-8307
> Project: Solr
> Issue Type: Bug
> Components: UI
> Affects Versions: 5.3
> Reporter: Adam Johnson
> Attachments: SOLR-8307.patch
>
>
> Use the drop-down in the left menu to select a core. Use the “Watch Changes”
> feature under the “Plugins / Stats” option. When submitting the changes, XML
> is passed in the “stream.body” parameter and is vulnerable to XXE.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
