Closed asfimport closed 6 years ago
Uwe Schindler (@uschindler) (migrated from JIRA)
We will remove this class as it is not really used in Lucene and Solr, it's just a convenience class.
In fact it's not really a security issue, because it is just a way for an application to use template XML files for the XML query parser where properties can be replaced. The XML file is not intended to be loaded from untrusted sources. Anybody doing this has misunderstood the whole class anyways and will fail to use it. So this looks like just an issue reported by some automated code safety testing tool.
For the template manager the use case is: You have an XML/XSL file as a query template in your local JAR resources folder and you use properties to replace the property placeholders in the XML before passing it to XML query parser. If used correctly there is never any external possibility to inject XML. So there is no need to fix this. If there is the possibility to pass in an untrusted XML file it's the application's fault, not Lucene's.
Nevertheless, as the above functionality can be done outside of Lucene easily; so let's remove this class. Its mostly untested and not used in the wild (github search).
Uwe Schindler (@uschindler) (migrated from JIRA)
Patch removing this class and examples: LUCENE-8291.patch
ASF subversion and git services (migrated from JIRA)
Commit 11c6a7ad8824f54fdf61d30579ef9689172253e9 in lucene-solr's branch refs/heads/master from @uschindler https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=11c6a7a
LUCENE-8291: Remove QueryTemplateManager utility class from XML queryparser
ASF subversion and git services (migrated from JIRA)
Commit f4fae49f0e6363b38b8898079dd904a364ce332a in lucene-solr's branch refs/heads/branch_7x from @uschindler https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=f4fae49
LUCENE-8291: Remove QueryTemplateManager utility class from XML queryparser
Uwe Schindler (@uschindler) (migrated from JIRA)
Removed this utility class. Thanks for reporting!
ASF subversion and git services (migrated from JIRA)
Commit 09a789f535007c907c8dc55f3ae4e4e9ca9c8ee3 in lucene-solr's branch refs/heads/master from @mkhludnev https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=09a789f
LUCENE-8291: Build Fix. Removing Demo Servlet.
ASF subversion and git services (migrated from JIRA)
Commit 897f6b37eec6aefc90a9981ae99b8be9ea3c17b8 in lucene-solr's branch refs/heads/branch_7x from @mkhludnev https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=897f6b3
LUCENE-8291: Build Fix. Removing Demo Servlet.
Uwe Schindler (@uschindler) (migrated from JIRA)
I forgot to remove the test in the demo module.
Uwe Schindler (@uschindler) (migrated from JIRA)
@mkhludnev fixed this a minute ago: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/09a789f5 (master) and http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/897f6b37 (7.x)
Uwe Schindler (@uschindler) (migrated from JIRA)
After looking at the demo module, the servlet api is no longer used there. I'll remove the dependency from ivy.xml.
Uwe Schindler (@uschindler) (migrated from JIRA)
I did not notice, that the whole demo webapplication is now obsolete. So I removed it, too. We should just make sure that we have some lucene demo available that actually works. But from looking at the code this was more or less a template engine, so not really useful for a programmer. It was just a nice looking demo.
Maybe we should move the QueryParserTemplate manager to the demoe webapp as a private class and just use it from there? If yes, I'd revert @mkhludnev's changed and the removal of the webapp / ivy deps.
Uwe Schindler (@uschindler) (migrated from JIRA)
This patch removes remaining obsolete stuff (demo webapp, which is not even tested!): LUCENE-8291-2.patch
Type | -Location | -Salary | -Description | -
---|---|---|---|
<%=doc.get("type")%> | -<%=doc.get("location")%> | -<%=doc.get("salary")%>,000 | -<%=doc.get("description")%> | -
ASF subversion and git services (migrated from JIRA)
Commit 3a73d4b2d60af89b1b88dcf2e484d73927a46bb1 in lucene-solr's branch refs/heads/master from @uschindler https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=3a73d4b
LUCENE-8291: Remove untested/unmaintained demo webapp
ASF subversion and git services (migrated from JIRA)
Commit c6b8d334f084a4573fb9e644b05d7e0e0091ef4c in lucene-solr's branch refs/heads/branch_7x from @uschindler https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=c6b8d33
LUCENE-8291: Remove untested/unmaintained demo webapp
Adrien Grand (@jpountz) (migrated from JIRA)
@uschindler Can this issue be closed now?
Uwe Schindler (@uschindler) (migrated from JIRA)
I think so.
Andrejs Aleksejevs (migrated from JIRA)
I have used this construction to load database configurations, now I got an error.
What's the best way to load configurations for each core in solrconfig.xml?
{{<xi:include href="file:///var/lib/solr/conf/database.dih.prod.cr.xml" xmlns:xi="http://www.w3.org/2001/XInclude"> }}
{{<xi:fallback> }}
<
{{xi:include href="file:///var/lib/solr/conf/database.dih.dev.cr.xml" /> }}
</xi:fallback>
{{ </xi:include>}}
database.dih.dev.cr.xml
<requestHandler name="/dataimport" class="org.apache.solr.handler.dataimport.DataImportHandler"> <lst name="defaults"> <str name="config">data-config.xml</str> <lst name="datasource"> <str name="driver">org.mariadb.jdbc.Driver</str> <str name="url">jdbc:mysql://localhost:3306database_name</str> <str name="user">userName</str> <str name="password">password</str> </lst> </lst> </requestHandler>
Uwe Schindler (@uschindler) (migrated from JIRA)
Hi Andrejs Aleksejevs, I think your are in the wrong issue. This is talking about something completely different. But to answer your question about DIH: You can still do this - but you cannot use absolute paths anymore. All xincludes must use relative ⚠ paths that don't escape the Solr home directory.
Andrejs Aleksejevs (migrated from JIRA)
Hi, @uschindler thanks for the comment. Will try to use it.
It appears that in QueryTemplateManager.java lines 149 and 198 and in DOMUtils.java line 204 XML is parsed without disabling external entity references (XXE). This is described in http://cwe.mitre.org/data/definitions/611.html and possible mitigations are listed here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
All recent versions of lucene are affected.
Migrated from LUCENE-8291 by Hendrik Saly, resolved Jun 27 2018 Attachments: LUCENE-8291.patch, LUCENE-8291-2.patch