Fix XXE vulnerability in MBeansHandler diff feature

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1715863 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Erik Hatcher 2015-11-23 16:05:45 +00:00
parent 11d8f445be
commit 8090380ecd
6 changed files with 22 additions and 2 deletions

View File

@ -401,6 +401,8 @@ Bug Fixes
* SOLR-5971: Fix error 'Illegal character in query' when proxying request.
(Uwe Schindler, Ishan Chattopadhyaya, Eric Bus)
* SOLR-8307: Fix XXE vulnerability in MBeansHandler "diff" feature (Erik Hatcher)
Optimizations
----------------------

View File

@ -105,7 +105,7 @@ public class DocumentAnalysisRequestHandler extends AnalysisRequestHandlerBase {
inputFactory.setProperty("reuse-instance", Boolean.FALSE);
} catch (IllegalArgumentException ex) {
// Other implementations will likely throw this exception since "reuse-instance"
// isimplementation specific.
// is implementation specific.
log.debug("Unable to set the 'reuse-instance' property for the input factory: " + inputFactory);
}
}

View File

@ -106,7 +106,7 @@ public class SolrInfoMBeanHandler extends RequestHandlerBase {
try {
XMLResponseParser parser = new XMLResponseParser();
return (NamedList<NamedList<NamedList<Object>>>)
parser.processResponse(new StringReader(content.substring(idx))).get("solr-mbeans");
parser.processResponse(new StringReader(content)).get("solr-mbeans");
}
catch(Exception ex) {
throw new SolrException(ErrorCode.BAD_REQUEST, "Unable to read original XML", ex);

View File

@ -70,4 +70,19 @@ public class MBeansHandlerTest extends SolrTestCaseJ4 {
NamedList<NamedList<NamedList<Object>>> nl = SolrInfoMBeanHandler.fromXML(xml);
assertNotNull( nl.get("QUERYHANDLER").get("org.apache.solr.handler.admin.CollectionsHandler"));
}
@Test
public void testXMLDiffWithExternalEntity() throws Exception {
String file = getFile("mailing_lists.pdf").toURI().toASCIIString();
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<!DOCTYPE foo [<!ENTITY bar SYSTEM \""+file+"\">]>\n" +
"<response>\n" +
"&bar;" +
"<lst name=\"responseHeader\"><int name=\"status\">0</int><int name=\"QTime\">31</int></lst><lst name=\"solr-mbeans\"></lst>\n" +
"</response>";
NamedList<NamedList<NamedList<Object>>> nl = SolrInfoMBeanHandler.fromXML(xml);
assertTrue("external entity ignored properly", true);
}
}

View File

@ -25,6 +25,7 @@ import org.apache.solr.common.util.DateUtil;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.common.util.SimpleOrderedMap;
import org.apache.solr.common.util.XMLErrorLogger;
import org.apache.solr.util.EmptyEntityResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -56,6 +57,8 @@ public class XMLResponseParser extends ResponseParser
static final XMLInputFactory factory;
static {
factory = XMLInputFactory.newInstance();
EmptyEntityResolver.configureXMLInputFactory(factory);
try {
// The java 1.6 bundled stax parser (sjsxp) does not currently have a thread-safe
// XMLInputFactory, as that implementation tries to cache and reuse the