From: Holger Friedrich <holgerfriedrich@users.noreply.github.com>
Date: Tue, 29 Aug 2023 16:50:13 +0000 (+0200)
Subject: [dwdunwetter] Handle possible XXE injection (#15466)
X-Git-Url: https://git.basschouten.com/?a=commitdiff_plain;h=d3c07344d345c6b8e003f765ce687f9faea25202;p=openhab-addons.git

[dwdunwetter] Handle possible XXE injection (#15466)

XMLInputFactory: Disable properties IS_SUPPORTING_EXTERNAL_ENTITIES and
SUPPORT_DTD which allow injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
---

diff --git a/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java b/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java
index 41ae77917f..80a39e6066 100644
--- a/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java
+++ b/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java
@@ -119,6 +119,8 @@ public class DwdWarningsData {
 
         try {
             XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+            inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+            inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
             XMLStreamReader reader = inputFactory.createXMLStreamReader(new StringReader(rawData));
             XMLEventReader eventReader = inputFactory.createXMLEventReader(reader);
             DwdWarningData gemeindeData = new DwdWarningData();