From: Holger Friedrich <holgerfriedrich@users.noreply.github.com>
Date: Sat, 23 Sep 2023 17:12:22 +0000 (+0200)
Subject: [xmltv] Handle possible XXE injection (#15467)
X-Git-Url: https://git.basschouten.com/?a=commitdiff_plain;h=55789bd792d33c00513cabecb321849b449e5fe8;p=openhab-addons.git

[xmltv] Handle possible XXE injection (#15467)

XMLInputFactory: Disable property IS_SUPPORTING_EXTERNAL_ENTITIES
which allows injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
---

diff --git a/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java b/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
index 02aaa95f29..f48d830955 100644
--- a/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
+++ b/bundles/org.openhab.binding.xmltv/src/main/java/org/openhab/binding/xmltv/internal/XmlTVHandlerFactory.java
@@ -54,6 +54,7 @@ public class XmlTVHandlerFactory extends BaseThingHandlerFactory {
     public XmlTVHandlerFactory(final @Reference TimeZoneProvider timeZoneProvider) throws JAXBException {
         this.timeZoneProvider = timeZoneProvider;
         this.unmarshaller = JAXBContext.newInstance(Tv.class).createUnmarshaller();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
         xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
     }