VYPR
← All advisories
Moderate severityNVD Advisory· Published May 21, 2018· Updated Sep 17, 2024

CVE-2018-8010

CVE-2018-8010

Description

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Solr XXE vulnerability in config files allows remote attackers to read arbitrary files via crafted configsets.

Vulnerability

This vulnerability affects Apache Solr versions 6.0.0 to 6.6.3 and 7.0.0 to 7.3.0. It is an XML external entity expansion (XXE) vulnerability in Solr's configuration files: solrconfig.xml, schema.xml, and managed-schema. Additionally, XInclude functionality in these files is similarly affected. The vulnerable code path is reachable when using the configset upload API [1][2].

Exploitation

An attacker needs network access to the Solr server and the ability to upload a configset via the API. The attacker creates a configset directory with a malicious solrconfig.xml that defines an external entity referencing a local file (e.g., using file: protocol). The attacker then uploads the configset as a ZIP archive and creates a collection using that configset. When the server processes the configuration, the XXE triggers, and the file contents are included in the Solr response (e.g., in a request handler's defaults) [2].

Impact

Successful exploitation allows the attacker to read arbitrary local files from the Solr server or internal network resources using file, ftp, or http protocols. This can lead to disclosure of sensitive data such as passwords, keys, or configuration details. The attack does not require authentication, though the configset upload API must be enabled and accessible [1][2].

Mitigation

Upgrade to Apache Solr 6.6.4 or 7.3.1, which restrict external entities and XIncludes to local files or ZooKeeper resources below the Solr instance directory using Solr's ResourceLoader, denying absolute URLs. After upgrade, no further steps are required [1]. No workarounds are documented for unpatched installations.

References
  1. NVD - CVE-2018-8010
  2. [SOLR-12316] CVE-2018-8010: Prevent XXE in solrconfig.xml and managed-schema(.xml)

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.solr:solr-coreMaven
>= 6.6.0, < 6.6.46.6.4
org.apache.solr:solr-coreMaven
>= 7.0.0, < 7.3.17.3.1

Affected products

2

Patches

8
4ba409e0ff3d

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +25 14
  • solr/CHANGES.txt+4 2 modified
    @@ -29,9 +29,11 @@ Apache UIMA 2.3.1
 Apache ZooKeeper 3.4.10
 Jetty 9.3.14.v20161028
 
+Bug Fixes
+----------------------
 
-(No Changes)
-
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
 
 ==================  6.6.3 ==================
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
6d082d5743de

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +43 12
  • solr/CHANGES.txt+22 0 modified
    @@ -155,6 +155,9 @@ when using one of Exact*StatsCache (Mikhail Khludnev)
 * SOLR-11177: CoreContainer.load needs to send lazily loaded core descriptors to the proper list rather than send
   them all to the transient lists. (Erick Erickson)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 Optimizations
 ----------------------
 * SOLR-10634: JSON Facet API: When a field/terms facet will retrieve all buckets (i.e. limit:-1)
@@ -218,6 +221,25 @@ Other Changes
  * SOLR-11122: Creating a core should write a core.properties file first and clean up on failure
    (Erick Erickson)
 
+==================  6.6.4 ==================
+
+Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
+
+Versions of Major Components
+---------------------
+Apache Tika 1.13
+Carrot2 3.15.0
+Velocity 1.7 and Velocity Tools 2.0
+Apache UIMA 2.3.1
+Apache ZooKeeper 3.4.10
+Jetty 9.3.14.v20161028
+
+Bug Fixes
+----------------------
+
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 ==================  6.6.3 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
96f079b4b47e

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +24 12
  • solr/CHANGES.txt+3 0 modified
    @@ -186,6 +186,9 @@ Bug Fixes
 
 * SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 Optimizations
 ----------------------
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
6c4e45e28494

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +26 13
  • solr/CHANGES.txt+5 1 modified
    @@ -36,7 +36,8 @@ Bug Fixes
 
 * SOLR-12256: Fixed some eventual-consistency issues with collection aliases by using ZooKeeper.sync(). (David Smiley)
 
-* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down state (Cao Manh Dat)
+* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down 
+  state (Cao Manh Dat)
 
 * SOLR-12146: LIR should skip deleted replicas (Cao Manh Dat)
 
@@ -50,6 +51,9 @@ Bug Fixes
 
 * SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 ==================  7.3.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
6d082d5743de

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +43 12
  • solr/CHANGES.txt+22 0 modified
    @@ -155,6 +155,9 @@ when using one of Exact*StatsCache (Mikhail Khludnev)
 * SOLR-11177: CoreContainer.load needs to send lazily loaded core descriptors to the proper list rather than send
   them all to the transient lists. (Erick Erickson)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 Optimizations
 ----------------------
 * SOLR-10634: JSON Facet API: When a field/terms facet will retrieve all buckets (i.e. limit:-1)
@@ -218,6 +221,25 @@ Other Changes
  * SOLR-11122: Creating a core should write a core.properties file first and clean up on failure
    (Erick Erickson)
 
+==================  6.6.4 ==================
+
+Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
+
+Versions of Major Components
+---------------------
+Apache Tika 1.13
+Carrot2 3.15.0
+Velocity 1.7 and Velocity Tools 2.0
+Apache UIMA 2.3.1
+Apache ZooKeeper 3.4.10
+Jetty 9.3.14.v20161028
+
+Bug Fixes
+----------------------
+
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 ==================  6.6.3 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
6c4e45e28494

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +26 13
  • solr/CHANGES.txt+5 1 modified
    @@ -36,7 +36,8 @@ Bug Fixes
 
 * SOLR-12256: Fixed some eventual-consistency issues with collection aliases by using ZooKeeper.sync(). (David Smiley)
 
-* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down state (Cao Manh Dat)
+* SOLR-12087: Deleting replicas sometimes fails and causes the replicas to exist in the down 
+  state (Cao Manh Dat)
 
 * SOLR-12146: LIR should skip deleted replicas (Cao Manh Dat)
 
@@ -50,6 +51,9 @@ Bug Fixes
 
 * SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 ==================  7.3.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
96f079b4b47e

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +24 12
  • solr/CHANGES.txt+3 0 modified
    @@ -186,6 +186,9 @@ Bug Fixes
 
 * SOLR-12202: Fix errors in solr-exporter.cmd. (Minoru Osuka via koji)
 
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
+
 Optimizations
 ----------------------
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }
4ba409e0ff3d

SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

https://github.com/apache/lucene-solrUwe SchindlerMay 6, 2018via ghsa
commit
3 files changed · +25 14
  • solr/CHANGES.txt+4 2 modified
    @@ -29,9 +29,11 @@ Apache UIMA 2.3.1
 Apache ZooKeeper 3.4.10
 Jetty 9.3.14.v20161028
 
+Bug Fixes
+----------------------
 
-(No Changes)
-
+* SOLR-12316: Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing.
+  (Ananthesh, Ishan Chattopadhyaya, Uwe Schindler)
 
 ==================  6.6.3 ==================
  • solr/core/src/java/org/apache/solr/util/SystemIdResolver.java+4 10 modified
    @@ -16,17 +16,13 @@
  */
 package org.apache.solr.util;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import org.apache.lucene.analysis.util.ResourceLoader;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ext.EntityResolver2;
 import java.io.File;
 import java.io.IOException;
-import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.xml.transform.Source;
@@ -55,7 +51,6 @@
  * </pre>
  */
 public final class SystemIdResolver implements EntityResolver, EntityResolver2 {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
   public static final String RESOURCE_LOADER_URI_SCHEME = "solrres";
   public static final String RESOURCE_LOADER_AUTHORITY_ABSOLUTE = "@";
@@ -126,8 +121,9 @@ public InputSource getExternalSubset(String name, String baseURI) {
   
   @Override
   public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws IOException {
-    if (systemId == null)
+    if (systemId == null) {
       return null;
+    }
     try {
       final URI uri = resolveRelativeURI(baseURI, systemId);
       
@@ -147,12 +143,10 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
           throw new IOException(re.getMessage(), re);
         }
       } else {
-        // resolve all other URIs using the standard resolver
-        return null;
+        throw new IOException("Cannot resolve absolute systemIDs / external entities (only relative paths work): " + systemId);
       }
     } catch (URISyntaxException use) {
-      log.warn("An URI systax problem occurred during resolving SystemId, falling back to default resolver", use);
-      return null;
+      throw new IOException("An URI syntax problem occurred during resolving systemId: " + systemId, use);
     }
   }
  • solr/core/src/test/org/apache/solr/util/TestSystemIdResolver.java+17 2 modified
    @@ -17,6 +17,7 @@
 package org.apache.solr.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Path;
 
 import org.apache.commons.io.IOUtils;
@@ -76,8 +77,22 @@ public void testResolving() throws Exception {
     assertEntityResolving(resolver, SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-schema.xml"),
       SystemIdResolver.createSystemIdFromResourceName(testHome+"/crazy-path-to-config.xml"), "crazy-path-to-schema.xml");
     
-    // test, that resolving works if somebody uses an absolute file:-URI in a href attribute, the resolver should return null (default fallback)
-    assertNull(resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri));
+    // if somebody uses an absolute uri (e.g., file://) we should fail resolving:
+    IOException ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", fileUri);
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "http://lucene.apache.org/test.xml");
+    });
+    assertTrue(ioe.getMessage().startsWith("Cannot resolve absolute"));
+    
+    // check that we can't escape with absolute file paths:
+    ioe = expectThrows(IOException.class, () -> {
+      resolver.resolveEntity(null, null, "solrres:/solrconfig.xml", "/etc/passwd");
+    });
+    assertTrue(ioe.getMessage().startsWith("Can't find resource '/etc/passwd' in classpath or"));
   }
 
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.