This was overlooked while committing SOLR-3895.
For several reasons, disabling the resolving of external entities within the Solr UpdateRequestHandler for XML would be good.
Backport some security fixes from 4.x to 3.6.x branch
Committed to 4.3.1, 4.4 and trunk.
Thanks Hoss for pointing out the inconsistency!
Bulk close after 4.3.1 release
Commit 1547011 from Uwe Schindler in branch 'dev/branches/lucene_solr_3_6'
[ https://svn.apache.org/r1547011 ]
SOLR-5520: Backports of: