Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[xmltv] Avoid XXE injection #15467

Merged
merged 1 commit into from
Sep 23, 2023
Merged

Conversation

holgerfriedrich
Copy link
Member

XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES which allows injecting external entities.

I cannot test this change. @clinique was it intentional to disable DTD and keep external entities on?
In case, please close my PR.

XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
@lolodomo
Copy link
Contributor

lolodomo commented Sep 6, 2023

@clinique : any feedback ?

Copy link
Contributor

@clinique clinique left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@clinique
Copy link
Contributor

@holgerfriedrich : sorry for late review of your proposal. Thanks for this.

Copy link
Contributor

@lolodomo lolodomo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lolodomo lolodomo merged commit 55789bd into openhab:main Sep 23, 2023
@lolodomo lolodomo added the enhancement An enhancement or new feature for an existing add-on label Sep 23, 2023
@lolodomo lolodomo added this to the 4.1 milestone Sep 23, 2023
@lolodomo lolodomo changed the title [xmltv] Handle possible XXE injection [xmltv] Avoid XXE injection Sep 23, 2023
@holgerfriedrich holgerfriedrich deleted the pr-xmltv-xxe branch September 23, 2023 17:52
Pshatsillo pushed a commit to Pshatsillo/openhab-addons that referenced this pull request Sep 29, 2023
XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
pat-git023 pushed a commit to pat-git023/openhab-addons that referenced this pull request Oct 13, 2023
XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
querdenker2k pushed a commit to querdenker2k/openhab-addons that referenced this pull request Oct 21, 2023
XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
querdenker2k pushed a commit to querdenker2k/openhab-addons that referenced this pull request Oct 29, 2023
XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Signed-off-by: querdenker2k <querdenker2k@gmx.de>
austvik pushed a commit to austvik/openhab-addons that referenced this pull request Mar 27, 2024
XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Signed-off-by: Jørgen Austvik <jaustvik@acm.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement An enhancement or new feature for an existing add-on
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants