Skip to content

Commit

Permalink
[xmltv] Handle possible XXE injection (#15467)
Browse files Browse the repository at this point in the history
XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
  • Loading branch information
holgerfriedrich authored Sep 23, 2023
1 parent c9e6417 commit 55789bd
Showing 1 changed file with 1 addition and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ public class XmlTVHandlerFactory extends BaseThingHandlerFactory {
public XmlTVHandlerFactory(final @Reference TimeZoneProvider timeZoneProvider) throws JAXBException {
this.timeZoneProvider = timeZoneProvider;
this.unmarshaller = JAXBContext.newInstance(Tv.class).createUnmarshaller();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
}

Expand Down

0 comments on commit 55789bd

Please sign in to comment.