[
https://issues.apache.org/jira/browse/LUCENE-8291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16465102#comment-16465102
]
Uwe Schindler edited comment on LUCENE-8291 at 5/6/18 12:17 PM:
----------------------------------------------------------------
We will remove this class as it is not really used in Lucene and Solr, it's
just a convenience class.
In fact it's not really a security issue, because it is just a way for an
application to use template XML files for the XML query parser where properties
can be replaced. The XML file is not intended to be loaded from untrusted
sources. Anybody doing this has misunderstood the whole class anyways and will
fail to use it. So this looks like just an issue reported by some automated
code safety testing tool.
For the template manager the use case is: You have an XML/XSL file as a query
template in your local JAR resources folder and you use properties to replace
the property placeholders in the XML before passing it to XML query parser. If
used correctly there is never any external possibility to inject XML. So there
is no need to fix this. If there is the possibility to pass in an untrusted XML
file it's the application's fault, not Lucene's.
Nevertheless, as the above functionality can be done outside of Lucene easily;
so let's remove this class. Its mostly untested and not used in the wild
(github search).
was (Author: thetaphi):
We will remove this class as it is not really used in Lucene and Solr, it's
just a convenience class.
In fact it's not really a security issue, because it is just a way for an
application to use template XML files for the XML query parser where properties
can be replaced. The XML file is not intended to be loaded from untrusted
sources. Anybody doing this has misunderstood the whole class anyways and will
fail to use it. So this looks like just an issue reported by some automated
code safety testing tool.
For the template manager the use case is: You have an XML/XSL file as a query
template in your resources folder and you use properties to replace the
property placeholders in the XML before passing to XML query parser. If used
correctly there is never any external possibility to inject XML. So there is no
need to fix this.
Nevertheless, as the above functionality can be done outside of Lucene easily,
let's remove this class. Its mostly untested and not used in the wild (github
search).
> Possible security issue when parsing XML documents containing external entity
> references
> ----------------------------------------------------------------------------------------
>
> Key: LUCENE-8291
> URL: https://issues.apache.org/jira/browse/LUCENE-8291
> Project: Lucene - Core
> Issue Type: Bug
> Components: modules/queryparser
> Affects Versions: 7.2.1
> Reporter: Hendrik Saly
> Assignee: Uwe Schindler
> Priority: Critical
> Labels: security
>
> It appears that in QueryTemplateManager.java lines 149 and 198 and in
> DOMUtils.java line 204 XML is parsed without disabling external entity
> references (XXE). This is described in
> [http://cwe.mitre.org/data/definitions/611.html] and possible mitigations are
> listed here:
> [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet]
> [https://www.cvedetails.com/cve/CVE-2014-6517/] is also related.
> All recent versions of lucene are affected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
