Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix potential security issue
  • Loading branch information
tananaev committed Jan 4, 2019
1 parent eea01d0 commit d7f6c53
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/org/traccar/protocol/SpotProtocolDecoder.java
@@ -1,5 +1,5 @@
/*
* Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org)
* Copyright 2017 - 2019 Anton Tananaev (anton@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -49,7 +49,14 @@ public class SpotProtocolDecoder extends BaseHttpProtocolDecoder {
public SpotProtocolDecoder(Protocol protocol) {
super(protocol);
try {
documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
builderFactory.setXIncludeAware(false);
builderFactory.setExpandEntityReferences(false);
documentBuilder = builderFactory.newDocumentBuilder();
xPath = XPathFactory.newInstance().newXPath();
messageExpression = xPath.compile("//messageList/message");
} catch (ParserConfigurationException | XPathExpressionException e) {
Expand Down

0 comments on commit d7f6c53

Please sign in to comment.