Merge pull request from GHSA-r2hc-pmr7-4c9r

* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
2021-01-24 15:06:00 +01:00
parent 5682292c0b
commit b0a15b48a3
33 changed files with 235 additions and 34 deletions
--- a/bundles/org.openhab.binding.vitotronic/src/main/java/org/openhab/binding/vitotronic/internal/handler/VitotronicBridgeHandler.java
+++ b/bundles/org.openhab.binding.vitotronic/src/main/java/org/openhab/binding/vitotronic/internal/handler/VitotronicBridgeHandler.java
@@ -250,6 +250,7 @@ public class VitotronicBridgeHandler extends BaseBridgeHandler {
        logger.trace("Start Background Thread for recieving data from adapter");
        try {
            XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
            xmlReader.setContentHandler(new XmlHandler());
            logger.trace("Start Parser for optolink adapter");
            xmlReader.parse(new InputSource(inStream));