Merge pull request from GHSA-r2hc-pmr7-4c9r

* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
2021-01-24 15:06:00 +01:00
parent 5682292c0b
commit b0a15b48a3
33 changed files with 235 additions and 34 deletions
--- a/bundles/org.openhab.binding.bosesoundtouch/src/main/java/org/openhab/binding/bosesoundtouch/internal/XMLResponseProcessor.java
+++ b/bundles/org.openhab.binding.bosesoundtouch/src/main/java/org/openhab/binding/bosesoundtouch/internal/XMLResponseProcessor.java
@@ -41,6 +41,7 @@ public class XMLResponseProcessor {

    public void handleMessage(String msg) throws SAXException, IOException {
        XMLReader reader = XMLReaderFactory.createXMLReader();
+        reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        reader.setContentHandler(new XMLResponseHandler(handler, stateSwitchingMap));
        reader.parse(new InputSource(new StringReader(msg)));
    }