From 8090380ecd3b80234a727885ad06aea1c1e939d7 Mon Sep 17 00:00:00 2001 From: Erik Hatcher Date: Mon, 23 Nov 2015 16:05:45 +0000 Subject: [PATCH] Fix XXE vulnerability in MBeansHandler diff feature git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1715863 13f79535-47bb-0310-9956-ffa450edef68 --- solr/CHANGES.txt | 2 ++ .../handler/DocumentAnalysisRequestHandler.java | 2 +- .../solr/handler/admin/SolrInfoMBeanHandler.java | 2 +- .../solr/handler/admin/MBeansHandlerTest.java | 15 +++++++++++++++ .../solr/client/solrj/impl/XMLResponseParser.java | 3 +++ .../org/apache/solr/util/EmptyEntityResolver.java | 0 6 files changed, 22 insertions(+), 2 deletions(-) rename solr/{core => solrj}/src/java/org/apache/solr/util/EmptyEntityResolver.java (100%) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index a674c674aaa..805a7104682 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -401,6 +401,8 @@ Bug Fixes * SOLR-5971: Fix error 'Illegal character in query' when proxying request. (Uwe Schindler, Ishan Chattopadhyaya, Eric Bus) +* SOLR-8307: Fix XXE vulnerability in MBeansHandler "diff" feature (Erik Hatcher) + Optimizations ---------------------- diff --git a/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java b/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java index 38265f14dd1..bf9c27cef16 100644 --- a/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java +++ b/solr/core/src/java/org/apache/solr/handler/DocumentAnalysisRequestHandler.java @@ -105,7 +105,7 @@ public class DocumentAnalysisRequestHandler extends AnalysisRequestHandlerBase { inputFactory.setProperty("reuse-instance", Boolean.FALSE); } catch (IllegalArgumentException ex) { // Other implementations will likely throw this exception since "reuse-instance" - // isimplementation specific. + // is implementation specific. log.debug("Unable to set the 'reuse-instance' property for the input factory: " + inputFactory); } } diff --git a/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java index e8d93119244..a9a2da670eb 100644 --- a/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java +++ b/solr/core/src/java/org/apache/solr/handler/admin/SolrInfoMBeanHandler.java @@ -106,7 +106,7 @@ public class SolrInfoMBeanHandler extends RequestHandlerBase { try { XMLResponseParser parser = new XMLResponseParser(); return (NamedList>>) - parser.processResponse(new StringReader(content.substring(idx))).get("solr-mbeans"); + parser.processResponse(new StringReader(content)).get("solr-mbeans"); } catch(Exception ex) { throw new SolrException(ErrorCode.BAD_REQUEST, "Unable to read original XML", ex); diff --git a/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java b/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java index f7992bb8d70..3e3ce86b77f 100644 --- a/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java +++ b/solr/core/src/test/org/apache/solr/handler/admin/MBeansHandlerTest.java @@ -70,4 +70,19 @@ public class MBeansHandlerTest extends SolrTestCaseJ4 { NamedList>> nl = SolrInfoMBeanHandler.fromXML(xml); assertNotNull( nl.get("QUERYHANDLER").get("org.apache.solr.handler.admin.CollectionsHandler")); } + + @Test + public void testXMLDiffWithExternalEntity() throws Exception { + String file = getFile("mailing_lists.pdf").toURI().toASCIIString(); + String xml = "\n" + + "]>\n" + + "\n" + + "&bar;" + + "031\n" + + ""; + + NamedList>> nl = SolrInfoMBeanHandler.fromXML(xml); + + assertTrue("external entity ignored properly", true); + } } diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java index f9177c8d660..45ce77eb6f7 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/XMLResponseParser.java @@ -25,6 +25,7 @@ import org.apache.solr.common.util.DateUtil; import org.apache.solr.common.util.NamedList; import org.apache.solr.common.util.SimpleOrderedMap; import org.apache.solr.common.util.XMLErrorLogger; +import org.apache.solr.util.EmptyEntityResolver; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -56,6 +57,8 @@ public class XMLResponseParser extends ResponseParser static final XMLInputFactory factory; static { factory = XMLInputFactory.newInstance(); + EmptyEntityResolver.configureXMLInputFactory(factory); + try { // The java 1.6 bundled stax parser (sjsxp) does not currently have a thread-safe // XMLInputFactory, as that implementation tries to cache and reuse the diff --git a/solr/core/src/java/org/apache/solr/util/EmptyEntityResolver.java b/solr/solrj/src/java/org/apache/solr/util/EmptyEntityResolver.java similarity index 100% rename from solr/core/src/java/org/apache/solr/util/EmptyEntityResolver.java rename to solr/solrj/src/java/org/apache/solr/util/EmptyEntityResolver.java