[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15011174#comment-15011174 ]
Shawn Heisey commented on SOLR-8307: ------------------------------------ bq. The patch attached here just modifies SolrJ. How is this related to config file parsing? I'm flailing in the dark here, and obviously do not really understand the implications of the code examples I found. The mbeans handler is what was mentioned in the bug report, so I followed that, and it uses XMLResponseParser, so that's what I modified. I'm not at all surprised that there's a better way. > XXE Vulnerability > ----------------- > > Key: SOLR-8307 > URL: https://issues.apache.org/jira/browse/SOLR-8307 > Project: Solr > Issue Type: Bug > Components: UI > Affects Versions: 5.3 > Reporter: Adam Johnson > Attachments: SOLR-8307.patch > > > Use the drop-down in the left menu to select a core. Use the “Watch Changes” > feature under the “Plugins / Stats” option. When submitting the changes, XML > is passed in the “stream.body” parameter and is vulnerable to XXE. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org