public/openhab-addons
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request from GHSA-r2hc-pmr7-4c9r

Browse Source 
* Configured XML parsers to resist XXE attacks

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* added fix for avmfritz

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* added fix for sonos

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* added fix for vitotronic and bosesoundtouch

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* changed avmfritz to singleton pattern

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* addressed roku binding

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* address all uses of DocumentBuilderFactory

Signed-off-by: Kai Kreuzer <kai@openhab.org>

* fixed other occurrences in roku binding

Signed-off-by: Kai Kreuzer <kai@openhab.org>
This commit is contained in:
Kai Kreuzer
2021-01-24 15:06:00 +01:00
committed by GitHub
parent 5682292c0b
commit b0a15b48a3
33 changed files with 235 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
bundles/org.openhab.binding.enigma2/src/main/java/org/openhab/binding/enigma2/internal/Enigma2Client.java
View File

@@ -81,9 +81,16 @@ public class Enigma2Client {
private final Enigma2HttpClient enigma2HttpClient;
private final DocumentBuilderFactory factory;
public Enigma2Client(String host, @Nullable String user, @Nullable String password, int requestTimeout) {
this.enigma2HttpClient = new Enigma2HttpClient(requestTimeout);
this.factory = DocumentBuilderFactory.newInstance();
public Enigma2Client(String host, @Nullable String user, @Nullable String password, int requestTimeout)
throws ParserConfigurationException {
enigma2HttpClient = new Enigma2HttpClient(requestTimeout);
factory = DocumentBuilderFactory.newInstance();
// see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
if (StringUtils.isNotEmpty(user) && StringUtils.isNotEmpty(password)) {
this.host = "http://" + user + ":" + password + "@" + host;
} else {