Skip to content
Permalink
Browse files

Fix potential security issue

  • Loading branch information...
tananaev committed Jan 4, 2019
1 parent eea01d0 commit d7f6c53fd88635885914013649b6807ec53227bf
Showing with 9 additions and 2 deletions.
  1. +9 −2 src/org/traccar/protocol/SpotProtocolDecoder.java
@@ -1,5 +1,5 @@
/*
* Copyright 2017 - 2018 Anton Tananaev (anton@traccar.org)
* Copyright 2017 - 2019 Anton Tananaev (anton@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -49,7 +49,14 @@
public SpotProtocolDecoder(Protocol protocol) {
super(protocol);
try {
documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
builderFactory.setXIncludeAware(false);
builderFactory.setExpandEntityReferences(false);
documentBuilder = builderFactory.newDocumentBuilder();
xPath = XPathFactory.newInstance().newXPath();
messageExpression = xPath.compile("//messageList/message");
} catch (ParserConfigurationException | XPathExpressionException e) {

0 comments on commit d7f6c53

Please sign in to comment.
You can’t perform that action at this time.