diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2019-01-04 11:24:47 -0800 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2019-01-04 11:24:47 -0800 |
commit | d7f6c53fd88635885914013649b6807ec53227bf (patch) | |
tree | d55db4ee356356beff0457608fb44f9a05247cd4 /src/org/traccar/protocol | |
parent | eea01d00aad283bf505262b3c462dc7b88011fae (diff) | |
download | trackermap-server-d7f6c53fd88635885914013649b6807ec53227bf.tar.gz trackermap-server-d7f6c53fd88635885914013649b6807ec53227bf.tar.bz2 trackermap-server-d7f6c53fd88635885914013649b6807ec53227bf.zip |
Fix potential security issue
Diffstat (limited to 'src/org/traccar/protocol')
-rw-r--r-- | src/org/traccar/protocol/SpotProtocolDecoder.java | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/org/traccar/protocol/SpotProtocolDecoder.java b/src/org/traccar/protocol/SpotProtocolDecoder.java index 78b2b0487..da36c2048 100644 --- a/src/org/traccar/protocol/SpotProtocolDecoder.java +++ b/src/org/traccar/protocol/SpotProtocolDecoder.java @@ -1,5 +1,5 @@ /* - * Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org) + * Copyright 2017 - 2019 Anton Tananaev (anton@traccar.org) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -49,7 +49,14 @@ public class SpotProtocolDecoder extends BaseHttpProtocolDecoder { public SpotProtocolDecoder(Protocol protocol) { super(protocol); try { - documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); + builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + builderFactory.setXIncludeAware(false); + builderFactory.setExpandEntityReferences(false); + documentBuilder = builderFactory.newDocumentBuilder(); xPath = XPathFactory.newInstance().newXPath(); messageExpression = xPath.compile("//messageList/message"); } catch (ParserConfigurationException | XPathExpressionException e) { |