public
/
openhab-addons
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[xmltv] Handle possible XXE injection (#15467) 

XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
This commit is contained in:
Holger Friedrich 2023-09-23 19:12:22 +02:00 committed by GitHub
parent c9e6417754
commit 55789bd792
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
View File

@ -54,6 +54,7 @@ public class XmlTVHandlerFactory extends BaseThingHandlerFactory {
public XmlTVHandlerFactory(final @Reference TimeZoneProvider timeZoneProvider) throws JAXBException {
this.timeZoneProvider = timeZoneProvider;
this.unmarshaller = JAXBContext.newInstance(Tv.class).createUnmarshaller();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
}