From 55789bd792d33c00513cabecb321849b449e5fe8 Mon Sep 17 00:00:00 2001
From: Holger Friedrich <holgerfriedrich@users.noreply.github.com>
Date: Sat, 23 Sep 2023 19:12:22 +0200
Subject: [PATCH] [xmltv] Handle possible XXE injection (#15467)

XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
---
 .../org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java b/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
index 02aaa95f2..f48d83095 100644
--- a/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
+++ b/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
@@ -54,6 +54,7 @@ public class XmlTVHandlerFactory extends BaseThingHandlerFactory {
     public XmlTVHandlerFactory(final @Reference TimeZoneProvider timeZoneProvider) throws JAXBException {
         this.timeZoneProvider = timeZoneProvider;
         this.unmarshaller = JAXBContext.newInstance(Tv.class).createUnmarshaller();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
         xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
     }