[xmltv] Handle possible XXE injection (#15467)

XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>

diff --git a/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java b/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
index 02aaa95f29386df26d7f1655b50df51862e81bee..f48d830955fb699154fa6ed88d6a576bc107e8ff 100644 (file)
--- a/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
+++ b/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
@@ -54,6 +54,7 @@ public class XmlTVHandlerFactory extends BaseThingHandlerFactory {
     public XmlTVHandlerFactory(final @Reference TimeZoneProvider timeZoneProvider) throws JAXBException {
         this.timeZoneProvider = timeZoneProvider;
         this.unmarshaller = JAXBContext.newInstance(Tv.class).createUnmarshaller();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
         xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
     }