Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix for security
  • Loading branch information
evernat committed Sep 4, 2018
1 parent 00dd8d5 commit ef11182
Showing 1 changed file with 2 additions and 0 deletions.
Expand Up @@ -235,6 +235,8 @@ private static String parseSoapMethodName(InputStream stream, String charEncodin
try {
// newInstance() et pas newFactory() pour java 1.5 (issue 367)
final XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // disable DTDs entirely for that factory
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); // disable external entities
final XMLStreamReader xmlReader;
if (charEncoding != null) {
xmlReader = factory.createXMLStreamReader(stream, charEncoding);
Expand Down

1 comment on commit ef11182

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2018-15531 was assigned to this issue.

Please sign in to comment.