Merge pull request from GHSA-r2hc-pmr7-4c9r

* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
2021-01-24 15:06:00 +01:00
parent 5682292c0b
commit b0a15b48a3
33 changed files with 235 additions and 34 deletions
--- a/bundles/org.openhab.binding.upnpcontrol/src/main/java/org/openhab/binding/upnpcontrol/internal/util/UpnpXMLParser.java
+++ b/bundles/org.openhab.binding.upnpcontrol/src/main/java/org/openhab/binding/upnpcontrol/internal/util/UpnpXMLParser.java
@@ -79,6 +79,9 @@ public class UpnpXMLParser {
        try {
            SAXParserFactory factory = SAXParserFactory.newInstance();
            SAXParser saxParser = factory.newSAXParser();
+            factory.setFeature("https://xml.org/sax/features/external-general-entities", false);
+            saxParser.getXMLReader().setFeature("https://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("https://apache.org/xml/features/disallow-doctype-decl", true);
            saxParser.parse(new InputSource(new StringReader(xml)), handler);
        } catch (IOException e) {
            // This should never happen - we're not performing I/O!
@@ -135,6 +138,9 @@ public class UpnpXMLParser {
        try {
            SAXParserFactory factory = SAXParserFactory.newInstance();
            SAXParser saxParser = factory.newSAXParser();
+            factory.setFeature("https://xml.org/sax/features/external-general-entities", false);
+            saxParser.getXMLReader().setFeature("https://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("https://apache.org/xml/features/disallow-doctype-decl", true);
            saxParser.parse(new InputSource(new StringReader(xml)), handler);
        } catch (IOException e) {
            // This should never happen - we're not performing I/O!
@@ -179,6 +185,9 @@ public class UpnpXMLParser {
        try {
            SAXParserFactory factory = SAXParserFactory.newInstance();
            SAXParser saxParser = factory.newSAXParser();
+            factory.setFeature("https://xml.org/sax/features/external-general-entities", false);
+            saxParser.getXMLReader().setFeature("https://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("https://apache.org/xml/features/disallow-doctype-decl", true);
            saxParser.parse(new InputSource(new StringReader(xml)), handler);
        } catch (IOException e) {
            // This should never happen - we're not performing I/O!