Merge pull request from GHSA-r2hc-pmr7-4c9r

* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
2021-01-24 15:06:00 +01:00
parent 5682292c0b
commit b0a15b48a3
33 changed files with 235 additions and 34 deletions
--- a/bundles/org.openhab.binding.tellstick/src/main/java/org/openhab/binding/tellstick/internal/live/TelldusLiveDeviceController.java
+++ b/bundles/org.openhab.binding.tellstick/src/main/java/org/openhab/binding/tellstick/internal/live/TelldusLiveDeviceController.java
@@ -309,6 +309,8 @@ public class TelldusLiveDeviceController implements DeviceChangeListener, Sensor
        // TelldusLiveHandler.logger.info("Devices" + resp.getResponseBody());
        JAXBContext jc = JAXBContext.newInstance(response);
        XMLInputFactory xif = XMLInputFactory.newInstance();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        XMLStreamReader xsr = xif.createXMLStreamReader(resp.getResponseBodyAsStream());
        // xsr = new PropertyRenamerDelegate(xsr);