[ https://issues.apache.org/jira/browse/SOLR-8307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15023554#comment-15023554 ]
Erik Hatcher commented on SOLR-8307: ------------------------------------ [~hossman_luc...@fucit.org] - should be fixed now. I moved EmptyEntityResolver to the common package to as to not overlap. Do we need to create a solr-core version of this class (in the util) package to keep the same fully qualified classname for this public class? I'm ok with it changing, and documenting it in CHANGES. Objections or suggestions? > XXE Vulnerability > ----------------- > > Key: SOLR-8307 > URL: https://issues.apache.org/jira/browse/SOLR-8307 > Project: Solr > Issue Type: Bug > Components: UI > Affects Versions: 5.3 > Reporter: Adam Johnson > Assignee: Erik Hatcher > Priority: Blocker > Fix For: 5.4, Trunk > > Attachments: SOLR-8307.patch, SOLR-8307.patch > > > Use the drop-down in the left menu to select a core. Use the “Watch Changes” > feature under the “Plugins / Stats” option. When submitting the changes, XML > is passed in the “stream.body” parameter and is vulnerable to XXE. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org