lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrejs Aleksejevs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LUCENE-8291) Possible security issue when parsing XML documents containing external entity references
Date Fri, 03 Aug 2018 15:33:00 GMT

    [ https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568354#comment-16568354
] 

Andrejs Aleksejevs commented on LUCENE-8291:
--------------------------------------------

Hi, [~thetaphi] thanks for the comment. Will try to use it.

> Possible security issue when parsing XML documents containing external entity references
> ----------------------------------------------------------------------------------------
>
>                 Key: LUCENE-8291
>                 URL: https://issues.apache.org/jira/browse/LUCENE-8291
>             Project: Lucene - Core
>          Issue Type: Bug
>          Components: modules/queryparser
>    Affects Versions: 7.2.1
>            Reporter: Hendrik Saly
>            Assignee: Uwe Schindler
>            Priority: Major
>             Fix For: 7.4, master (8.0)
>
>         Attachments: LUCENE-8291-2.patch, LUCENE-8291.patch
>
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java
line 204 XML is parsed without disabling external entity references (XXE). This is described
in [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are listed here:
[https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> All recent versions of lucene are affected.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message