CVE-2018-8026

@@ -221,6 +221,25 @@ Other Changes
  * SOLR-11122: Creating a core should write a core.properties file first and clean up on failure
    (Erick Erickson)
 
+==================  6.6.5 ==================
+
+Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
+
+Versions of Major Components
+---------------------
+Apache Tika 1.13
+Carrot2 3.15.0
+Velocity 1.7 and Velocity Tools 2.0
+Apache UIMA 2.3.1
+Apache ZooKeeper 3.4.10
+Jetty 9.3.14.v20161028
+
+Bug Fixes
+----------------------
+
+ * SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 ==================  6.6.4 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -17,22 +17,21 @@
 
 package org.apache.solr.schema;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.lucene.analysis.util.ResourceLoader;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -46,6 +45,7 @@
  */
 class FileExchangeRateProvider implements ExchangeRateProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   protected static final String PARAM_CURRENCY_CONFIG       = "currencyConfig";
 
   // Exchange rate map, maps Currency Code -> Currency Code -> Rate
@@ -159,71 +159,49 @@ public Set<String> listAvailableCurrencies() {
 
   @Override
   public boolean reload() throws SolrException {
-    InputStream is = null;
     Map<String, Map<String, Double>> tmpRates = new HashMap<>();
+    log.debug("Reloading exchange rates from file {}", currencyConfigFile);
+
     try {
-      log.debug("Reloading exchange rates from file "+this.currencyConfigFile);
-
-      is = loader.openResource(currencyConfigFile);
-      javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-      try {
-        dbf.setXIncludeAware(true);
-        dbf.setNamespaceAware(true);
-      } catch (UnsupportedOperationException e) {
-        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
-      }
+      Document doc = SafeXMLParsing.parseConfigXML(log, loader, currencyConfigFile);
+      XPathFactory xpathFactory = XPathFactory.newInstance();
+      XPath xpath = xpathFactory.newXPath();
+      
+      // Parse exchange rates.
+      NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
       
-      try {
-        Document doc = dbf.newDocumentBuilder().parse(is);
-        XPathFactory xpathFactory = XPathFactory.newInstance();
-        XPath xpath = xpathFactory.newXPath();
+      for (int i = 0; i < nodes.getLength(); i++) {
+        Node rateNode = nodes.item(i);
+        NamedNodeMap attributes = rateNode.getAttributes();
+        Node from = attributes.getNamedItem("from");
+        Node to = attributes.getNamedItem("to");
+        Node rate = attributes.getNamedItem("rate");
+        
+        if (from == null || to == null || rate == null) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
+        }
         
-        // Parse exchange rates.
-        NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
+        String fromCurrency = from.getNodeValue();
+        String toCurrency = to.getNodeValue();
+        Double exchangeRate;
         
-        for (int i = 0; i < nodes.getLength(); i++) {
-          Node rateNode = nodes.item(i);
-          NamedNodeMap attributes = rateNode.getAttributes();
-          Node from = attributes.getNamedItem("from");
-          Node to = attributes.getNamedItem("to");
-          Node rate = attributes.getNamedItem("rate");
-          
-          if (from == null || to == null || rate == null) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
-          }
-          
-          String fromCurrency = from.getNodeValue();
-          String toCurrency = to.getNodeValue();
-          Double exchangeRate;
-          
-          if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
-          }
-          if (null == CurrencyFieldType.getCurrency(toCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
-          }
-          
-          try {
-            exchangeRate = Double.parseDouble(rate.getNodeValue());
-          } catch (NumberFormatException e) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
-          }
-          
-          addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
+        if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
         }
-      } catch (SAXException | XPathExpressionException | ParserConfigurationException | IOException e) {
-        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing currency config.", e);
-      }
-    } catch (IOException e) {
-      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while opening Currency configuration file "+currencyConfigFile, e);
-    } finally {
-      try {
-        if (is != null) {
-          is.close();
+        if (null == CurrencyFieldType.getCurrency(toCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
+        }
+        
+        try {
+          exchangeRate = Double.parseDouble(rate.getNodeValue());
+        } catch (NumberFormatException e) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
         }
-      } catch (IOException e) {
-        e.printStackTrace();
+        
+        addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
       }
+    } catch (SAXException | IOException | XPathExpressionException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while parsing currency configuration file "+currencyConfigFile, e);
     }
     // Atomically swap in the new rates map, if it loaded successfully
     this.rates = tmpRates;

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -358,6 +358,9 @@ Bug Fixes
   but 'bin/solr create' tells users to use the default action 'set-property', which fails
   because the property is not editable. (Steve Rowe)
 
+* SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 Optimizations
 ----------------------
 

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -18,14 +18,12 @@
 package org.apache.solr.schema;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
+
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
@@ -38,8 +36,10 @@
 import org.apache.lucene.util.BytesRefBuilder;
 import org.apache.solr.common.EnumFieldValue;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.core.SolrResourceLoader;
 import org.apache.solr.response.TextResponseWriter;
 import org.apache.solr.search.QParser;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -51,7 +51,6 @@
  * Abstract Field type for support of string values with custom sort order.
  */
 public abstract class AbstractEnumField extends PrimitiveFieldType {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   protected EnumMapping enumMapping;
   
   @Override
@@ -69,6 +68,8 @@ public EnumMapping getEnumMapping() {
    * @lucene.internal
    */
   public static final class EnumMapping {
+    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
     public static final String PARAM_ENUMS_CONFIG = "enumsConfig";
     public static final String PARAM_ENUM_NAME = "enumName";
     public static final Integer DEFAULT_VALUE = -1;
@@ -105,67 +106,49 @@ public EnumMapping(IndexSchema schema, FieldType fieldType, Map<String, String>
                                 ftName + ": No enum name was configured.");
       }
       
-      InputStream is = null;
-      
+      final SolrResourceLoader loader = schema.getResourceLoader(); 
       try {
-        is = schema.getResourceLoader().openResource(enumsConfigFile);
-        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        try {
-          final Document doc = dbf.newDocumentBuilder().parse(is);
-          final XPathFactory xpathFactory = XPathFactory.newInstance();
-          final XPath xpath = xpathFactory.newXPath();
-          final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
-          final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
-          final int nodesLength = nodes.getLength();
-          if (nodesLength == 0) {
-            String exceptionMessage = String.format
-              (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+        log.debug("Reloading enums config file from {}", enumsConfigFile);
+        Document doc = SafeXMLParsing.parseConfigXML(log, loader, enumsConfigFile);
+        final XPathFactory xpathFactory = XPathFactory.newInstance();
+        final XPath xpath = xpathFactory.newXPath();
+        final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
+        final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
+        final int nodesLength = nodes.getLength();
+        if (nodesLength == 0) {
+          String exceptionMessage = String.format
+            (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+             ftName, enumName, enumsConfigFile);
+          throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
+        }
+        if (nodesLength > 1) {
+          if (log.isWarnEnabled())
+            log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
+                     ftName, enumName, enumsConfigFile);
+        }
+        final Node enumNode = nodes.item(nodesLength - 1);
+        final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
+        for (int i = 0; i < valueNodes.getLength(); i++) {
+          final Node valueNode = valueNodes.item(i);
+          final String valueStr = valueNode.getTextContent();
+          if ((valueStr == null) || (valueStr.length() == 0)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
                ftName, enumName, enumsConfigFile);
-            throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
-          }
-          if (nodesLength > 1) {
-            if (log.isWarnEnabled())
-              log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
-                       ftName, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
-          final Node enumNode = nodes.item(nodesLength - 1);
-          final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
-          for (int i = 0; i < valueNodes.getLength(); i++) {
-            final Node valueNode = valueNodes.item(i);
-            final String valueStr = valueNode.getTextContent();
-            if ((valueStr == null) || (valueStr.length() == 0)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
-                 ftName, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            if (enumStringToIntMap.containsKey(valueStr)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
-                 ftName, valueStr, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            enumIntToStringMap.put(i, valueStr);
-            enumStringToIntMap.put(valueStr, i);
+          if (enumStringToIntMap.containsKey(valueStr)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
+               ftName, valueStr, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
+          enumIntToStringMap.put(i, valueStr);
+          enumStringToIntMap.put(valueStr, i);
         }
-        catch (ParserConfigurationException | XPathExpressionException | SAXException e) {
-          throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                  ftName + ": Error parsing enums config.", e);
-        }
-      }
-      catch (IOException e) {
+      } catch (IOException | SAXException | XPathExpressionException e) {
         throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                ftName + ": Error while opening enums config.", e);
-      } finally {
-        try {
-          if (is != null) {
-            is.close();
-          }
-        }
-        catch (IOException e) {
-          e.printStackTrace();
-        }
+                                ftName + ": Error while parsing enums config.", e);
       }
       
       if ((enumStringToIntMap.size() == 0) || (enumIntToStringMap.size() == 0)) {

@@ -17,22 +17,21 @@
 
 package org.apache.solr.schema;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.lucene.analysis.util.ResourceLoader;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -46,6 +45,7 @@
  */
 class FileExchangeRateProvider implements ExchangeRateProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   protected static final String PARAM_CURRENCY_CONFIG       = "currencyConfig";
 
   // Exchange rate map, maps Currency Code -> Currency Code -> Rate
@@ -159,71 +159,49 @@ public Set<String> listAvailableCurrencies() {
 
   @Override
   public boolean reload() throws SolrException {
-    InputStream is = null;
     Map<String, Map<String, Double>> tmpRates = new HashMap<>();
+    log.debug("Reloading exchange rates from file {}", currencyConfigFile);
+
     try {
-      log.debug("Reloading exchange rates from file "+this.currencyConfigFile);
-
-      is = loader.openResource(currencyConfigFile);
-      javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-      try {
-        dbf.setXIncludeAware(true);
-        dbf.setNamespaceAware(true);
-      } catch (UnsupportedOperationException e) {
-        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
-      }
+      Document doc = SafeXMLParsing.parseConfigXML(log, loader, currencyConfigFile);
+      XPathFactory xpathFactory = XPathFactory.newInstance();
+      XPath xpath = xpathFactory.newXPath();
+      
+      // Parse exchange rates.
+      NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
       
-      try {
-        Document doc = dbf.newDocumentBuilder().parse(is);
-        XPathFactory xpathFactory = XPathFactory.newInstance();
-        XPath xpath = xpathFactory.newXPath();
+      for (int i = 0; i < nodes.getLength(); i++) {
+        Node rateNode = nodes.item(i);
+        NamedNodeMap attributes = rateNode.getAttributes();
+        Node from = attributes.getNamedItem("from");
+        Node to = attributes.getNamedItem("to");
+        Node rate = attributes.getNamedItem("rate");
+        
+        if (from == null || to == null || rate == null) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
+        }
         
-        // Parse exchange rates.
-        NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
+        String fromCurrency = from.getNodeValue();
+        String toCurrency = to.getNodeValue();
+        Double exchangeRate;
         
-        for (int i = 0; i < nodes.getLength(); i++) {
-          Node rateNode = nodes.item(i);
-          NamedNodeMap attributes = rateNode.getAttributes();
-          Node from = attributes.getNamedItem("from");
-          Node to = attributes.getNamedItem("to");
-          Node rate = attributes.getNamedItem("rate");
-          
-          if (from == null || to == null || rate == null) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
-          }
-          
-          String fromCurrency = from.getNodeValue();
-          String toCurrency = to.getNodeValue();
-          Double exchangeRate;
-          
-          if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
-          }
-          if (null == CurrencyFieldType.getCurrency(toCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
-          }
-          
-          try {
-            exchangeRate = Double.parseDouble(rate.getNodeValue());
-          } catch (NumberFormatException e) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
-          }
-          
-          addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
+        if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
         }
-      } catch (SAXException | XPathExpressionException | ParserConfigurationException | IOException e) {
-        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing currency config.", e);
-      }
-    } catch (IOException e) {
-      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while opening Currency configuration file "+currencyConfigFile, e);
-    } finally {
-      try {
-        if (is != null) {
-          is.close();
+        if (null == CurrencyFieldType.getCurrency(toCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
+        }
+        
+        try {
+          exchangeRate = Double.parseDouble(rate.getNodeValue());
+        } catch (NumberFormatException e) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
         }
-      } catch (IOException e) {
-        e.printStackTrace();
+        
+        addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
       }
+    } catch (SAXException | IOException | XPathExpressionException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while parsing currency configuration file "+currencyConfigFile, e);
     }
     // Atomically swap in the new rates map, if it loaded successfully
     this.rates = tmpRates;

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -297,6 +297,9 @@ Bug Fixes
 * SOLR-12416: When creating a time routed alias, the router.autoDeleteAge option wasn't considered.
   (Joachim Sauer via David Smiley)
 
+* SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 Optimizations
 ----------------------
 

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -18,14 +18,12 @@
 package org.apache.solr.schema;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
+
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
@@ -38,8 +36,10 @@
 import org.apache.lucene.util.BytesRefBuilder;
 import org.apache.solr.common.EnumFieldValue;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.core.SolrResourceLoader;
 import org.apache.solr.response.TextResponseWriter;
 import org.apache.solr.search.QParser;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -51,7 +51,6 @@
  * Abstract Field type for support of string values with custom sort order.
  */
 public abstract class AbstractEnumField extends PrimitiveFieldType {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   protected EnumMapping enumMapping;
   
   @Override
@@ -69,6 +68,8 @@ public EnumMapping getEnumMapping() {
    * @lucene.internal
    */
   public static final class EnumMapping {
+    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
     public static final String PARAM_ENUMS_CONFIG = "enumsConfig";
     public static final String PARAM_ENUM_NAME = "enumName";
     public static final Integer DEFAULT_VALUE = -1;
@@ -105,67 +106,49 @@ public EnumMapping(IndexSchema schema, FieldType fieldType, Map<String, String>
                                 ftName + ": No enum name was configured.");
       }
       
-      InputStream is = null;
-      
+      final SolrResourceLoader loader = schema.getResourceLoader(); 
       try {
-        is = schema.getResourceLoader().openResource(enumsConfigFile);
-        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        try {
-          final Document doc = dbf.newDocumentBuilder().parse(is);
-          final XPathFactory xpathFactory = XPathFactory.newInstance();
-          final XPath xpath = xpathFactory.newXPath();
-          final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
-          final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
-          final int nodesLength = nodes.getLength();
-          if (nodesLength == 0) {
-            String exceptionMessage = String.format
-              (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+        log.debug("Reloading enums config file from {}", enumsConfigFile);
+        Document doc = SafeXMLParsing.parseConfigXML(log, loader, enumsConfigFile);
+        final XPathFactory xpathFactory = XPathFactory.newInstance();
+        final XPath xpath = xpathFactory.newXPath();
+        final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
+        final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
+        final int nodesLength = nodes.getLength();
+        if (nodesLength == 0) {
+          String exceptionMessage = String.format
+            (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+             ftName, enumName, enumsConfigFile);
+          throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
+        }
+        if (nodesLength > 1) {
+          if (log.isWarnEnabled())
+            log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
+                     ftName, enumName, enumsConfigFile);
+        }
+        final Node enumNode = nodes.item(nodesLength - 1);
+        final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
+        for (int i = 0; i < valueNodes.getLength(); i++) {
+          final Node valueNode = valueNodes.item(i);
+          final String valueStr = valueNode.getTextContent();
+          if ((valueStr == null) || (valueStr.length() == 0)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
                ftName, enumName, enumsConfigFile);
-            throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
-          }
-          if (nodesLength > 1) {
-            if (log.isWarnEnabled())
-              log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
-                       ftName, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
-          final Node enumNode = nodes.item(nodesLength - 1);
-          final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
-          for (int i = 0; i < valueNodes.getLength(); i++) {
-            final Node valueNode = valueNodes.item(i);
-            final String valueStr = valueNode.getTextContent();
-            if ((valueStr == null) || (valueStr.length() == 0)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
-                 ftName, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            if (enumStringToIntMap.containsKey(valueStr)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
-                 ftName, valueStr, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            enumIntToStringMap.put(i, valueStr);
-            enumStringToIntMap.put(valueStr, i);
+          if (enumStringToIntMap.containsKey(valueStr)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
+               ftName, valueStr, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
+          enumIntToStringMap.put(i, valueStr);
+          enumStringToIntMap.put(valueStr, i);
         }
-        catch (ParserConfigurationException | XPathExpressionException | SAXException e) {
-          throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                  ftName + ": Error parsing enums config.", e);
-        }
-      }
-      catch (IOException e) {
+      } catch (IOException | SAXException | XPathExpressionException e) {
         throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                ftName + ": Error while opening enums config.", e);
-      } finally {
-        try {
-          if (is != null) {
-            is.close();
-          }
-        }
-        catch (IOException e) {
-          e.printStackTrace();
-        }
+                                ftName + ": Error while parsing enums config.", e);
       }
       
       if ((enumStringToIntMap.size() == 0) || (enumIntToStringMap.size() == 0)) {

@@ -17,22 +17,21 @@
 
 package org.apache.solr.schema;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.lucene.analysis.util.ResourceLoader;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -46,6 +45,7 @@
  */
 class FileExchangeRateProvider implements ExchangeRateProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   protected static final String PARAM_CURRENCY_CONFIG       = "currencyConfig";
 
   // Exchange rate map, maps Currency Code -> Currency Code -> Rate
@@ -159,71 +159,49 @@ public Set<String> listAvailableCurrencies() {
 
   @Override
   public boolean reload() throws SolrException {
-    InputStream is = null;
     Map<String, Map<String, Double>> tmpRates = new HashMap<>();
+    log.debug("Reloading exchange rates from file {}", currencyConfigFile);
+
     try {
-      log.debug("Reloading exchange rates from file "+this.currencyConfigFile);
-
-      is = loader.openResource(currencyConfigFile);
-      javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-      try {
-        dbf.setXIncludeAware(true);
-        dbf.setNamespaceAware(true);
-      } catch (UnsupportedOperationException e) {
-        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
-      }
+      Document doc = SafeXMLParsing.parseConfigXML(log, loader, currencyConfigFile);
+      XPathFactory xpathFactory = XPathFactory.newInstance();
+      XPath xpath = xpathFactory.newXPath();
+      
+      // Parse exchange rates.
+      NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
       
-      try {
-        Document doc = dbf.newDocumentBuilder().parse(is);
-        XPathFactory xpathFactory = XPathFactory.newInstance();
-        XPath xpath = xpathFactory.newXPath();
+      for (int i = 0; i < nodes.getLength(); i++) {
+        Node rateNode = nodes.item(i);
+        NamedNodeMap attributes = rateNode.getAttributes();
+        Node from = attributes.getNamedItem("from");
+        Node to = attributes.getNamedItem("to");
+        Node rate = attributes.getNamedItem("rate");
+        
+        if (from == null || to == null || rate == null) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
+        }
         
-        // Parse exchange rates.
-        NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
+        String fromCurrency = from.getNodeValue();
+        String toCurrency = to.getNodeValue();
+        Double exchangeRate;
         
-        for (int i = 0; i < nodes.getLength(); i++) {
-          Node rateNode = nodes.item(i);
-          NamedNodeMap attributes = rateNode.getAttributes();
-          Node from = attributes.getNamedItem("from");
-          Node to = attributes.getNamedItem("to");
-          Node rate = attributes.getNamedItem("rate");
-          
-          if (from == null || to == null || rate == null) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
-          }
-          
-          String fromCurrency = from.getNodeValue();
-          String toCurrency = to.getNodeValue();
-          Double exchangeRate;
-          
-          if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
-          }
-          if (null == CurrencyFieldType.getCurrency(toCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
-          }
-          
-          try {
-            exchangeRate = Double.parseDouble(rate.getNodeValue());
-          } catch (NumberFormatException e) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
-          }
-          
-          addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
+        if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
         }
-      } catch (SAXException | XPathExpressionException | ParserConfigurationException | IOException e) {
-        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing currency config.", e);
-      }
-    } catch (IOException e) {
-      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while opening Currency configuration file "+currencyConfigFile, e);
-    } finally {
-      try {
-        if (is != null) {
-          is.close();
+        if (null == CurrencyFieldType.getCurrency(toCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
+        }
+        
+        try {
+          exchangeRate = Double.parseDouble(rate.getNodeValue());
+        } catch (NumberFormatException e) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
         }
-      } catch (IOException e) {
-        e.printStackTrace();
+        
+        addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
       }
+    } catch (SAXException | IOException | XPathExpressionException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while parsing currency configuration file "+currencyConfigFile, e);
     }
     // Atomically swap in the new rates map, if it loaded successfully
     this.rates = tmpRates;

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -16,6 +16,25 @@ In this release, there is an example Solr server including a bundled
 servlet container in the directory named "example".
 See the Quick Start guide at http://lucene.apache.org/solr/quickstart.html
 
+==================  6.6.5 ==================
+
+Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
+
+Versions of Major Components
+---------------------
+Apache Tika 1.13
+Carrot2 3.15.0
+Velocity 1.7 and Velocity Tools 2.0
+Apache UIMA 2.3.1
+Apache ZooKeeper 3.4.10
+Jetty 9.3.14.v20161028
+
+Bug Fixes
+----------------------
+
+ * SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 ==================  6.6.4 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -221,6 +221,25 @@ Other Changes
  * SOLR-11122: Creating a core should write a core.properties file first and clean up on failure
    (Erick Erickson)
 
+==================  6.6.5 ==================
+
+Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
+
+Versions of Major Components
+---------------------
+Apache Tika 1.13
+Carrot2 3.15.0
+Velocity 1.7 and Velocity Tools 2.0
+Apache UIMA 2.3.1
+Apache ZooKeeper 3.4.10
+Jetty 9.3.14.v20161028
+
+Bug Fixes
+----------------------
+
+ * SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 ==================  6.6.4 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -17,22 +17,21 @@
 
 package org.apache.solr.schema;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.lucene.analysis.util.ResourceLoader;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -46,6 +45,7 @@
  */
 class FileExchangeRateProvider implements ExchangeRateProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   protected static final String PARAM_CURRENCY_CONFIG       = "currencyConfig";
 
   // Exchange rate map, maps Currency Code -> Currency Code -> Rate
@@ -159,71 +159,49 @@ public Set<String> listAvailableCurrencies() {
 
   @Override
   public boolean reload() throws SolrException {
-    InputStream is = null;
     Map<String, Map<String, Double>> tmpRates = new HashMap<>();
+    log.debug("Reloading exchange rates from file {}", currencyConfigFile);
+
     try {
-      log.debug("Reloading exchange rates from file "+this.currencyConfigFile);
-
-      is = loader.openResource(currencyConfigFile);
-      javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-      try {
-        dbf.setXIncludeAware(true);
-        dbf.setNamespaceAware(true);
-      } catch (UnsupportedOperationException e) {
-        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
-      }
+      Document doc = SafeXMLParsing.parseConfigXML(log, loader, currencyConfigFile);
+      XPathFactory xpathFactory = XPathFactory.newInstance();
+      XPath xpath = xpathFactory.newXPath();
+      
+      // Parse exchange rates.
+      NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
       
-      try {
-        Document doc = dbf.newDocumentBuilder().parse(is);
-        XPathFactory xpathFactory = XPathFactory.newInstance();
-        XPath xpath = xpathFactory.newXPath();
+      for (int i = 0; i < nodes.getLength(); i++) {
+        Node rateNode = nodes.item(i);
+        NamedNodeMap attributes = rateNode.getAttributes();
+        Node from = attributes.getNamedItem("from");
+        Node to = attributes.getNamedItem("to");
+        Node rate = attributes.getNamedItem("rate");
+        
+        if (from == null || to == null || rate == null) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
+        }
         
-        // Parse exchange rates.
-        NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
+        String fromCurrency = from.getNodeValue();
+        String toCurrency = to.getNodeValue();
+        Double exchangeRate;
         
-        for (int i = 0; i < nodes.getLength(); i++) {
-          Node rateNode = nodes.item(i);
-          NamedNodeMap attributes = rateNode.getAttributes();
-          Node from = attributes.getNamedItem("from");
-          Node to = attributes.getNamedItem("to");
-          Node rate = attributes.getNamedItem("rate");
-          
-          if (from == null || to == null || rate == null) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
-          }
-          
-          String fromCurrency = from.getNodeValue();
-          String toCurrency = to.getNodeValue();
-          Double exchangeRate;
-          
-          if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
-          }
-          if (null == CurrencyFieldType.getCurrency(toCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
-          }
-          
-          try {
-            exchangeRate = Double.parseDouble(rate.getNodeValue());
-          } catch (NumberFormatException e) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
-          }
-          
-          addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
+        if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
         }
-      } catch (SAXException | XPathExpressionException | ParserConfigurationException | IOException e) {
-        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing currency config.", e);
-      }
-    } catch (IOException e) {
-      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while opening Currency configuration file "+currencyConfigFile, e);
-    } finally {
-      try {
-        if (is != null) {
-          is.close();
+        if (null == CurrencyFieldType.getCurrency(toCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
+        }
+        
+        try {
+          exchangeRate = Double.parseDouble(rate.getNodeValue());
+        } catch (NumberFormatException e) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
         }
-      } catch (IOException e) {
-        e.printStackTrace();
+        
+        addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
       }
+    } catch (SAXException | IOException | XPathExpressionException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while parsing currency configuration file "+currencyConfigFile, e);
     }
     // Atomically swap in the new rates map, if it loaded successfully
     this.rates = tmpRates;

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -16,6 +16,25 @@ In this release, there is an example Solr server including a bundled
 servlet container in the directory named "example".
 See the Quick Start guide at http://lucene.apache.org/solr/quickstart.html
 
+==================  6.6.5 ==================
+
+Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
+
+Versions of Major Components
+---------------------
+Apache Tika 1.13
+Carrot2 3.15.0
+Velocity 1.7 and Velocity Tools 2.0
+Apache UIMA 2.3.1
+Apache ZooKeeper 3.4.10
+Jetty 9.3.14.v20161028
+
+Bug Fixes
+----------------------
+
+ * SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 ==================  6.6.4 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -358,6 +358,9 @@ Bug Fixes
   but 'bin/solr create' tells users to use the default action 'set-property', which fails
   because the property is not editable. (Steve Rowe)
 
+* SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 Optimizations
 ----------------------
 

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -18,14 +18,12 @@
 package org.apache.solr.schema;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
+
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
@@ -38,8 +36,10 @@
 import org.apache.lucene.util.BytesRefBuilder;
 import org.apache.solr.common.EnumFieldValue;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.core.SolrResourceLoader;
 import org.apache.solr.response.TextResponseWriter;
 import org.apache.solr.search.QParser;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -51,7 +51,6 @@
  * Abstract Field type for support of string values with custom sort order.
  */
 public abstract class AbstractEnumField extends PrimitiveFieldType {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   protected EnumMapping enumMapping;
   
   @Override
@@ -69,6 +68,8 @@ public EnumMapping getEnumMapping() {
    * @lucene.internal
    */
   public static final class EnumMapping {
+    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
     public static final String PARAM_ENUMS_CONFIG = "enumsConfig";
     public static final String PARAM_ENUM_NAME = "enumName";
     public static final Integer DEFAULT_VALUE = -1;
@@ -105,67 +106,49 @@ public EnumMapping(IndexSchema schema, FieldType fieldType, Map<String, String>
                                 ftName + ": No enum name was configured.");
       }
       
-      InputStream is = null;
-      
+      final SolrResourceLoader loader = schema.getResourceLoader(); 
       try {
-        is = schema.getResourceLoader().openResource(enumsConfigFile);
-        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        try {
-          final Document doc = dbf.newDocumentBuilder().parse(is);
-          final XPathFactory xpathFactory = XPathFactory.newInstance();
-          final XPath xpath = xpathFactory.newXPath();
-          final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
-          final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
-          final int nodesLength = nodes.getLength();
-          if (nodesLength == 0) {
-            String exceptionMessage = String.format
-              (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+        log.debug("Reloading enums config file from {}", enumsConfigFile);
+        Document doc = SafeXMLParsing.parseConfigXML(log, loader, enumsConfigFile);
+        final XPathFactory xpathFactory = XPathFactory.newInstance();
+        final XPath xpath = xpathFactory.newXPath();
+        final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
+        final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
+        final int nodesLength = nodes.getLength();
+        if (nodesLength == 0) {
+          String exceptionMessage = String.format
+            (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+             ftName, enumName, enumsConfigFile);
+          throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
+        }
+        if (nodesLength > 1) {
+          if (log.isWarnEnabled())
+            log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
+                     ftName, enumName, enumsConfigFile);
+        }
+        final Node enumNode = nodes.item(nodesLength - 1);
+        final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
+        for (int i = 0; i < valueNodes.getLength(); i++) {
+          final Node valueNode = valueNodes.item(i);
+          final String valueStr = valueNode.getTextContent();
+          if ((valueStr == null) || (valueStr.length() == 0)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
                ftName, enumName, enumsConfigFile);
-            throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
-          }
-          if (nodesLength > 1) {
-            if (log.isWarnEnabled())
-              log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
-                       ftName, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
-          final Node enumNode = nodes.item(nodesLength - 1);
-          final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
-          for (int i = 0; i < valueNodes.getLength(); i++) {
-            final Node valueNode = valueNodes.item(i);
-            final String valueStr = valueNode.getTextContent();
-            if ((valueStr == null) || (valueStr.length() == 0)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
-                 ftName, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            if (enumStringToIntMap.containsKey(valueStr)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
-                 ftName, valueStr, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            enumIntToStringMap.put(i, valueStr);
-            enumStringToIntMap.put(valueStr, i);
+          if (enumStringToIntMap.containsKey(valueStr)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
+               ftName, valueStr, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
+          enumIntToStringMap.put(i, valueStr);
+          enumStringToIntMap.put(valueStr, i);
         }
-        catch (ParserConfigurationException | XPathExpressionException | SAXException e) {
-          throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                  ftName + ": Error parsing enums config.", e);
-        }
-      }
-      catch (IOException e) {
+      } catch (IOException | SAXException | XPathExpressionException e) {
         throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                ftName + ": Error while opening enums config.", e);
-      } finally {
-        try {
-          if (is != null) {
-            is.close();
-          }
-        }
-        catch (IOException e) {
-          e.printStackTrace();
-        }
+                                ftName + ": Error while parsing enums config.", e);
       }
       
       if ((enumStringToIntMap.size() == 0) || (enumIntToStringMap.size() == 0)) {

@@ -17,22 +17,21 @@
 
 package org.apache.solr.schema;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.lucene.analysis.util.ResourceLoader;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -46,6 +45,7 @@
  */
 class FileExchangeRateProvider implements ExchangeRateProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   protected static final String PARAM_CURRENCY_CONFIG       = "currencyConfig";
 
   // Exchange rate map, maps Currency Code -> Currency Code -> Rate
@@ -159,71 +159,49 @@ public Set<String> listAvailableCurrencies() {
 
   @Override
   public boolean reload() throws SolrException {
-    InputStream is = null;
     Map<String, Map<String, Double>> tmpRates = new HashMap<>();
+    log.debug("Reloading exchange rates from file {}", currencyConfigFile);
+
     try {
-      log.debug("Reloading exchange rates from file "+this.currencyConfigFile);
-
-      is = loader.openResource(currencyConfigFile);
-      javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-      try {
-        dbf.setXIncludeAware(true);
-        dbf.setNamespaceAware(true);
-      } catch (UnsupportedOperationException e) {
-        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
-      }
+      Document doc = SafeXMLParsing.parseConfigXML(log, loader, currencyConfigFile);
+      XPathFactory xpathFactory = XPathFactory.newInstance();
+      XPath xpath = xpathFactory.newXPath();
+      
+      // Parse exchange rates.
+      NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
       
-      try {
-        Document doc = dbf.newDocumentBuilder().parse(is);
-        XPathFactory xpathFactory = XPathFactory.newInstance();
-        XPath xpath = xpathFactory.newXPath();
+      for (int i = 0; i < nodes.getLength(); i++) {
+        Node rateNode = nodes.item(i);
+        NamedNodeMap attributes = rateNode.getAttributes();
+        Node from = attributes.getNamedItem("from");
+        Node to = attributes.getNamedItem("to");
+        Node rate = attributes.getNamedItem("rate");
+        
+        if (from == null || to == null || rate == null) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
+        }
         
-        // Parse exchange rates.
-        NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
+        String fromCurrency = from.getNodeValue();
+        String toCurrency = to.getNodeValue();
+        Double exchangeRate;
         
-        for (int i = 0; i < nodes.getLength(); i++) {
-          Node rateNode = nodes.item(i);
-          NamedNodeMap attributes = rateNode.getAttributes();
-          Node from = attributes.getNamedItem("from");
-          Node to = attributes.getNamedItem("to");
-          Node rate = attributes.getNamedItem("rate");
-          
-          if (from == null || to == null || rate == null) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
-          }
-          
-          String fromCurrency = from.getNodeValue();
-          String toCurrency = to.getNodeValue();
-          Double exchangeRate;
-          
-          if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
-          }
-          if (null == CurrencyFieldType.getCurrency(toCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
-          }
-          
-          try {
-            exchangeRate = Double.parseDouble(rate.getNodeValue());
-          } catch (NumberFormatException e) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
-          }
-          
-          addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
+        if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
         }
-      } catch (SAXException | XPathExpressionException | ParserConfigurationException | IOException e) {
-        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing currency config.", e);
-      }
-    } catch (IOException e) {
-      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while opening Currency configuration file "+currencyConfigFile, e);
-    } finally {
-      try {
-        if (is != null) {
-          is.close();
+        if (null == CurrencyFieldType.getCurrency(toCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
+        }
+        
+        try {
+          exchangeRate = Double.parseDouble(rate.getNodeValue());
+        } catch (NumberFormatException e) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
         }
-      } catch (IOException e) {
-        e.printStackTrace();
+        
+        addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
       }
+    } catch (SAXException | IOException | XPathExpressionException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while parsing currency configuration file "+currencyConfigFile, e);
     }
     // Atomically swap in the new rates map, if it loaded successfully
     this.rates = tmpRates;

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}

@@ -297,6 +297,9 @@ Bug Fixes
 * SOLR-12416: When creating a time routed alias, the router.autoDeleteAge option wasn't considered.
   (Joachim Sauer via David Smiley)
 
+* SOLR-12450: Don't allow referal to external resources in various config files.
+  (Yuyang Xiao, Uwe Schindler)
+
 Optimizations
 ----------------------
 

@@ -16,27 +16,31 @@
  */
 package org.apache.solr.handler.extraction;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.beans.BeanInfo;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
-import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.SafeXMLParsing;
 import org.apache.tika.parser.ParseContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 public class ParseContextConfig {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
   private final Map<Class<?>, Object> entries = new HashMap<>();
 
   /** Creates an empty Config without any settings (used as placeholder). */
@@ -54,9 +58,7 @@ public ParseContextConfig(SolrResourceLoader resourceLoader, String parseContext
   }
   
   private static Document loadConfigFile(SolrResourceLoader resourceLoader, String parseContextConfigLoc) throws Exception {
-    try (InputStream in = resourceLoader.openResource(parseContextConfigLoc)) {
-      return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in, parseContextConfigLoc);
-    }
+    return SafeXMLParsing.parseConfigXML(log, resourceLoader, parseContextConfigLoc);
   }
 
   private void extract(Element element, SolrResourceLoader loader) throws Exception {

@@ -18,14 +18,12 @@
 package org.apache.solr.schema;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
+
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
@@ -38,8 +36,10 @@
 import org.apache.lucene.util.BytesRefBuilder;
 import org.apache.solr.common.EnumFieldValue;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.core.SolrResourceLoader;
 import org.apache.solr.response.TextResponseWriter;
 import org.apache.solr.search.QParser;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -51,7 +51,6 @@
  * Abstract Field type for support of string values with custom sort order.
  */
 public abstract class AbstractEnumField extends PrimitiveFieldType {
-  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   protected EnumMapping enumMapping;
   
   @Override
@@ -69,6 +68,8 @@ public EnumMapping getEnumMapping() {
    * @lucene.internal
    */
   public static final class EnumMapping {
+    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
     public static final String PARAM_ENUMS_CONFIG = "enumsConfig";
     public static final String PARAM_ENUM_NAME = "enumName";
     public static final Integer DEFAULT_VALUE = -1;
@@ -105,67 +106,49 @@ public EnumMapping(IndexSchema schema, FieldType fieldType, Map<String, String>
                                 ftName + ": No enum name was configured.");
       }
       
-      InputStream is = null;
-      
+      final SolrResourceLoader loader = schema.getResourceLoader(); 
       try {
-        is = schema.getResourceLoader().openResource(enumsConfigFile);
-        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        try {
-          final Document doc = dbf.newDocumentBuilder().parse(is);
-          final XPathFactory xpathFactory = XPathFactory.newInstance();
-          final XPath xpath = xpathFactory.newXPath();
-          final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
-          final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
-          final int nodesLength = nodes.getLength();
-          if (nodesLength == 0) {
-            String exceptionMessage = String.format
-              (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+        log.debug("Reloading enums config file from {}", enumsConfigFile);
+        Document doc = SafeXMLParsing.parseConfigXML(log, loader, enumsConfigFile);
+        final XPathFactory xpathFactory = XPathFactory.newInstance();
+        final XPath xpath = xpathFactory.newXPath();
+        final String xpathStr = String.format(Locale.ROOT, "/enumsConfig/enum[@name='%s']", enumName);
+        final NodeList nodes = (NodeList) xpath.evaluate(xpathStr, doc, XPathConstants.NODESET);
+        final int nodesLength = nodes.getLength();
+        if (nodesLength == 0) {
+          String exceptionMessage = String.format
+            (Locale.ENGLISH, "%s: No enum configuration found for enum '%s' in %s.",
+             ftName, enumName, enumsConfigFile);
+          throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
+        }
+        if (nodesLength > 1) {
+          if (log.isWarnEnabled())
+            log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
+                     ftName, enumName, enumsConfigFile);
+        }
+        final Node enumNode = nodes.item(nodesLength - 1);
+        final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
+        for (int i = 0; i < valueNodes.getLength(); i++) {
+          final Node valueNode = valueNodes.item(i);
+          final String valueStr = valueNode.getTextContent();
+          if ((valueStr == null) || (valueStr.length() == 0)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
                ftName, enumName, enumsConfigFile);
-            throw new SolrException(SolrException.ErrorCode.NOT_FOUND, exceptionMessage);
-          }
-          if (nodesLength > 1) {
-            if (log.isWarnEnabled())
-              log.warn("{}: More than one enum configuration found for enum '{}' in {}. The last one was taken.",
-                       ftName, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
-          final Node enumNode = nodes.item(nodesLength - 1);
-          final NodeList valueNodes = (NodeList) xpath.evaluate("value", enumNode, XPathConstants.NODESET);
-          for (int i = 0; i < valueNodes.getLength(); i++) {
-            final Node valueNode = valueNodes.item(i);
-            final String valueStr = valueNode.getTextContent();
-            if ((valueStr == null) || (valueStr.length() == 0)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A value was defined with an no value in enum '%s' in %s.",
-                 ftName, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            if (enumStringToIntMap.containsKey(valueStr)) {
-              final String exceptionMessage = String.format
-                (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
-                 ftName, valueStr, enumName, enumsConfigFile);
-              throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
-            }
-            enumIntToStringMap.put(i, valueStr);
-            enumStringToIntMap.put(valueStr, i);
+          if (enumStringToIntMap.containsKey(valueStr)) {
+            final String exceptionMessage = String.format
+              (Locale.ENGLISH, "%s: A duplicated definition was found for value '%s' in enum '%s' in %s.",
+               ftName, valueStr, enumName, enumsConfigFile);
+            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, exceptionMessage);
           }
+          enumIntToStringMap.put(i, valueStr);
+          enumStringToIntMap.put(valueStr, i);
         }
-        catch (ParserConfigurationException | XPathExpressionException | SAXException e) {
-          throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                  ftName + ": Error parsing enums config.", e);
-        }
-      }
-      catch (IOException e) {
+      } catch (IOException | SAXException | XPathExpressionException e) {
         throw new SolrException(SolrException.ErrorCode.BAD_REQUEST,
-                                ftName + ": Error while opening enums config.", e);
-      } finally {
-        try {
-          if (is != null) {
-            is.close();
-          }
-        }
-        catch (IOException e) {
-          e.printStackTrace();
-        }
+                                ftName + ": Error while parsing enums config.", e);
       }
       
       if ((enumStringToIntMap.size() == 0) || (enumIntToStringMap.size() == 0)) {

@@ -17,22 +17,21 @@
 
 package org.apache.solr.schema;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 import java.io.IOException;
-import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.lucene.analysis.util.ResourceLoader;
 import org.apache.solr.common.SolrException;
+import org.apache.solr.util.SafeXMLParsing;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -46,6 +45,7 @@
  */
 class FileExchangeRateProvider implements ExchangeRateProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   protected static final String PARAM_CURRENCY_CONFIG       = "currencyConfig";
 
   // Exchange rate map, maps Currency Code -> Currency Code -> Rate
@@ -159,71 +159,49 @@ public Set<String> listAvailableCurrencies() {
 
   @Override
   public boolean reload() throws SolrException {
-    InputStream is = null;
     Map<String, Map<String, Double>> tmpRates = new HashMap<>();
+    log.debug("Reloading exchange rates from file {}", currencyConfigFile);
+
     try {
-      log.debug("Reloading exchange rates from file "+this.currencyConfigFile);
-
-      is = loader.openResource(currencyConfigFile);
-      javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-      try {
-        dbf.setXIncludeAware(true);
-        dbf.setNamespaceAware(true);
-      } catch (UnsupportedOperationException e) {
-        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
-      }
+      Document doc = SafeXMLParsing.parseConfigXML(log, loader, currencyConfigFile);
+      XPathFactory xpathFactory = XPathFactory.newInstance();
+      XPath xpath = xpathFactory.newXPath();
+      
+      // Parse exchange rates.
+      NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
       
-      try {
-        Document doc = dbf.newDocumentBuilder().parse(is);
-        XPathFactory xpathFactory = XPathFactory.newInstance();
-        XPath xpath = xpathFactory.newXPath();
+      for (int i = 0; i < nodes.getLength(); i++) {
+        Node rateNode = nodes.item(i);
+        NamedNodeMap attributes = rateNode.getAttributes();
+        Node from = attributes.getNamedItem("from");
+        Node to = attributes.getNamedItem("to");
+        Node rate = attributes.getNamedItem("rate");
+        
+        if (from == null || to == null || rate == null) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
+        }
         
-        // Parse exchange rates.
-        NodeList nodes = (NodeList) xpath.evaluate("/currencyConfig/rates/rate", doc, XPathConstants.NODESET);
+        String fromCurrency = from.getNodeValue();
+        String toCurrency = to.getNodeValue();
+        Double exchangeRate;
         
-        for (int i = 0; i < nodes.getLength(); i++) {
-          Node rateNode = nodes.item(i);
-          NamedNodeMap attributes = rateNode.getAttributes();
-          Node from = attributes.getNamedItem("from");
-          Node to = attributes.getNamedItem("to");
-          Node rate = attributes.getNamedItem("rate");
-          
-          if (from == null || to == null || rate == null) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Exchange rate missing attributes (required: from, to, rate) " + rateNode);
-          }
-          
-          String fromCurrency = from.getNodeValue();
-          String toCurrency = to.getNodeValue();
-          Double exchangeRate;
-          
-          if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
-          }
-          if (null == CurrencyFieldType.getCurrency(toCurrency)) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
-          }
-          
-          try {
-            exchangeRate = Double.parseDouble(rate.getNodeValue());
-          } catch (NumberFormatException e) {
-            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
-          }
-          
-          addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
+        if (null == CurrencyFieldType.getCurrency(fromCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'from' currency not supported in this JVM: " + fromCurrency);
         }
-      } catch (SAXException | XPathExpressionException | ParserConfigurationException | IOException e) {
-        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing currency config.", e);
-      }
-    } catch (IOException e) {
-      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while opening Currency configuration file "+currencyConfigFile, e);
-    } finally {
-      try {
-        if (is != null) {
-          is.close();
+        if (null == CurrencyFieldType.getCurrency(toCurrency)) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified 'to' currency not supported in this JVM: " + toCurrency);
+        }
+        
+        try {
+          exchangeRate = Double.parseDouble(rate.getNodeValue());
+        } catch (NumberFormatException e) {
+          throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Could not parse exchange rate: " + rateNode, e);
         }
-      } catch (IOException e) {
-        e.printStackTrace();
+        
+        addRate(tmpRates, fromCurrency, toCurrency, exchangeRate);
       }
+    } catch (SAXException | IOException | XPathExpressionException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error while parsing currency configuration file "+currencyConfigFile, e);
     }
     // Atomically swap in the new rates map, if it loaded successfully
     this.rates = tmpRates;

@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.FilterReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.io.input.CloseShieldInputStream;
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.solr.common.EmptyEntityResolver;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.SuppressForbidden;
+import org.apache.solr.common.util.XMLErrorLogger;
+import org.slf4j.Logger;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * Some utility methods for parsing XML in a safe way. This class can be used to parse XML
+ * coming from network (completely untrusted) or it can load a config file from a
+ * {@link ResourceLoader}. In this case it allows external entities and xincludes, but only
+ * referring to files reachable by the loader.
+ */
+@SuppressForbidden(reason = "This class uses XML APIs directly that should not be used anywhere else in Solr code")
+public final class SafeXMLParsing  {
+  
+  public static final String SYSTEMID_UNTRUSTED = "untrusted://stream";
+
+  private SafeXMLParsing() {}
+  
+  /** Parses a config file from ResourceLoader. Xinclude and external entities are enabled, but cannot escape the resource loader. */
+  public static Document parseConfigXML(Logger log, ResourceLoader loader, String file) throws SAXException, IOException {
+    try (InputStream in = loader.openResource(file)) {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      try {
+        dbf.setXIncludeAware(true);
+      } catch (UnsupportedOperationException e) {
+        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
+      }
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(new SystemIdResolver(loader));
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db.parse(in, SystemIdResolver.createSystemIdFromResourceName(file));
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given InputStream is not closed. */
+  public static Document parseUntrustedXML(Logger log, InputStream in) throws SAXException, IOException {
+    return getUntrustedDocumentBuilder(log).parse(new CloseShieldInputStream(in), SYSTEMID_UNTRUSTED);
+  }
+  
+  /** Parses the given InputStream as XML, disabling any external entities with secure processing enabled.
+   * The given Reader is not closed. */
+  public static Document parseUntrustedXML(Logger log, Reader reader) throws SAXException, IOException {
+    final InputSource is = new InputSource(new FilterReader(reader) {
+      @Override public void close() {}
+    });
+    is.setSystemId(SYSTEMID_UNTRUSTED);
+    return getUntrustedDocumentBuilder(log).parse(is);
+  }
+  
+  public static Document parseUntrustedXML(Logger log, String xml) throws SAXException, IOException {
+    return parseUntrustedXML(log, new StringReader(xml));
+  }
+
+  private static DocumentBuilder getUntrustedDocumentBuilder(Logger log) {
+    try {
+      final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+      dbf.setNamespaceAware(true);
+      trySetDOMFeature(dbf, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      
+      final DocumentBuilder db = dbf.newDocumentBuilder();
+      db.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      db.setErrorHandler(new XMLErrorLogger(log));
+      return db;
+    } catch (ParserConfigurationException pce) {
+      throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser cannot be configured", pce);
+    }
+  }
+  
+  private static void trySetDOMFeature(DocumentBuilderFactory factory, String feature, boolean enabled) {
+    try {
+      factory.setFeature(feature, enabled);
+    } catch (Exception ex) {
+      // ignore
+    }
+  }
+  
+}

@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.lucene.analysis.util.ResourceLoader;
+import org.apache.lucene.util.LuceneTestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+public class TestSafeXMLParsing extends LuceneTestCase {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  
+  public void testUntrusted() throws Exception {
+    // TODO: Fix the underlying EmptyEntityResolver to not replace external entities by nothing and instead throw exception:
+    Document doc = SafeXMLParsing.parseUntrustedXML(log, "<!DOCTYPE test [\n" + 
+        "<!ENTITY internalTerm \"foobar\">\n" + 
+        "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+        "]>\n" + 
+        "<test>&internalTerm;&externalTerm;</test>");
+    assertEquals("foobar", doc.getDocumentElement().getTextContent());
+  }
+  
+  InputStream getStringStream(String xml) {
+    return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+  }
+  
+  public void testConfig() throws Exception {
+    final ResourceLoader loader = new ResourceLoader() {
+      @Override
+      public InputStream openResource(String resource) throws IOException {
+        switch (resource) {
+          case "source1.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source2.xml":
+            return getStringStream("<!DOCTYPE test [\n" + 
+                "<!ENTITY externalTerm SYSTEM \"./include1.xml\">\n" + 
+                "]>\n" + 
+                "<test>&externalTerm;</test>");
+          case "source3.xml":
+            return getStringStream("<foo xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n" + 
+                "  <xi:include href=\"./include2.xml\"/>\n" + 
+                "</foo>");
+          case "include1.xml":
+            return getStringStream("Make XML Great Again!™");
+          case "include2.xml":
+            return getStringStream("<bar>Make XML Great Again!™</bar>");
+        }
+        throw new IOException("Resource not found: " + resource);
+      }
+
+      @Override
+      public <T> Class<? extends T> findClass(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public <T> T newInstance(String cname, Class<T> expectedType) {
+        throw new UnsupportedOperationException();
+      }
+      
+    };
+    
+    IOException ioe = expectThrows(IOException.class, () -> {
+      SafeXMLParsing.parseConfigXML(log, loader, "source1.xml");
+    });
+    assertTrue(ioe.getMessage().contains("Cannot resolve absolute systemIDs"));
+    
+    Document doc = SafeXMLParsing.parseConfigXML(log, loader, "source2.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent());
+    
+    doc = SafeXMLParsing.parseConfigXML(log, loader, "source3.xml");
+    assertEquals("Make XML Great Again!™", doc.getDocumentElement().getTextContent().trim());
+  }
+
+}