Permalink
Browse files

Prevent inclusion of local files via file:// XML entities

  • Loading branch information...
kornelski committed Jan 19, 2016
1 parent 70f6929 commit a6e9c8aff644f0cf5314c9f10e039c34cd350561
Showing with 1 addition and 1 deletion.
  1. +1 −1 Sparkle/SUAppcast.m
@@ -102,7 +102,7 @@ - (void)downloadDidFinish:(NSURLDownload *)__unused aDownload
if (self.downloadFilename)
{
NSUInteger options = 0;
options = NSXMLNodeLoadExternalEntitiesSameOriginOnly;
options = NSXMLNodeLoadExternalEntitiesNever; // Prevent inclusion from file://
document = [[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:self.downloadFilename] options:options error:&error];

[[NSFileManager defaultManager] removeItemAtPath:self.downloadFilename error:nil];

0 comments on commit a6e9c8a

Please sign in to comment.