metsw24-max opened a new pull request, #16135: URL: https://github.com/apache/lucene/pull/16135
Noticed `PatternParser.createParser()` builds its SAX reader without disabling external entities, and `resolveEntity` returns null for anything but the bundled `hyphenation.dtd`, so a hyphenation file can pull in arbitrary `file://` or `http://` entities (XXE). `CoreParser` already guards its XML the same way. The parser is non-validating and only reads pattern data, so refusing external DTDs/entities leaves valid files unchanged. The added test feeds a file with a `file://` entity and checks it is no longer expanded. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
