lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <>
Subject [jira] Commented: (SOLR-1656) XInclude's are resolved relative CWD, not instance dir
Date Fri, 25 Feb 2011 00:01:38 GMT


Uwe Schindler commented on SOLR-1656:

After thinking a little bit about it, I found out that supporting XInclude at all for InputStream-only
resources is broken and also a security leak and should be switched off:
With my patch all SolrConfigs/SolrSchemas are correctly loaded using InputSource. But the
Config base class is also used e.g. for parsing some requests where the XML comes from network
as InputStream only. Supporting xinclude here is broken, as this network stream has no systemId,
so I would simply disable xinclude and the EntityResolver if Config class only gets an InputStream
instead of InputSource. Also it should not be possible to load arbitrary files from the filesystem
referenced by a xml file in a network stream (this is somehow a security leak).
After making the whole thing separate for InputSource and InputStreanm, it could also easily
be made backwards compatible, as the InputStream methods are separate and support no xinclude
and are not.

> XInclude's are resolved relative CWD, not instance dir
> ------------------------------------------------------
>                 Key: SOLR-1656
>                 URL:
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: Hoss Man
>         Attachments: SOLR-1656-mockup.patch, SOLR-1656_Support_SAX_SystemId_via_wrapping_InputStream.patch,
> As noted on the mailing list, when an XInclude in a config files refrences a relative
path, it's resolved relative the CWD of the servlet container, and not the instanceDir of
the core...

This message is automatically generated by JIRA.
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message