aboutsummaryrefslogtreecommitdiff
path: root/src/org/traccar/protocol
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2019-01-04 11:24:47 -0800
committerAnton Tananaev <anton.tananaev@gmail.com>2019-01-04 11:24:47 -0800
commitd7f6c53fd88635885914013649b6807ec53227bf (patch)
treed55db4ee356356beff0457608fb44f9a05247cd4 /src/org/traccar/protocol
parenteea01d00aad283bf505262b3c462dc7b88011fae (diff)
downloadtrackermap-server-d7f6c53fd88635885914013649b6807ec53227bf.tar.gz
trackermap-server-d7f6c53fd88635885914013649b6807ec53227bf.tar.bz2
trackermap-server-d7f6c53fd88635885914013649b6807ec53227bf.zip
Fix potential security issue
Diffstat (limited to 'src/org/traccar/protocol')
-rw-r--r--src/org/traccar/protocol/SpotProtocolDecoder.java11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/org/traccar/protocol/SpotProtocolDecoder.java b/src/org/traccar/protocol/SpotProtocolDecoder.java
index 78b2b0487..da36c2048 100644
--- a/src/org/traccar/protocol/SpotProtocolDecoder.java
+++ b/src/org/traccar/protocol/SpotProtocolDecoder.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org)
+ * Copyright 2017 - 2019 Anton Tananaev (anton@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -49,7 +49,14 @@ public class SpotProtocolDecoder extends BaseHttpProtocolDecoder {
public SpotProtocolDecoder(Protocol protocol) {
super(protocol);
try {
- documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ builderFactory.setXIncludeAware(false);
+ builderFactory.setExpandEntityReferences(false);
+ documentBuilder = builderFactory.newDocumentBuilder();
xPath = XPathFactory.newInstance().newXPath();
messageExpression = xPath.compile("//messageList/message");
} catch (ParserConfigurationException | XPathExpressionException e) {