Permalink
Browse files

Repair XXE vulnerability at initialization

  • Loading branch information...
zhutougg committed Dec 20, 2018
1 parent 6796e1d commit 2eb0ea97f745740b18dd45e4a909112d4685f87b
Showing with 1 addition and 0 deletions.
  1. +1 −0 src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
@@ -144,6 +144,7 @@ public static C3P0Config extractXmlConfigFromDefaultResource() throws Exception
public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
{
DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
fact.setExpandEntityReferences(false);
DocumentBuilder db = fact.newDocumentBuilder();
Document doc = db.parse( is );

1 comment on commit 2eb0ea9

@crazyguyonabike

This comment has been minimized.

Copy link

crazyguyonabike commented on 2eb0ea9 Jan 9, 2019

If this actually fixes the CVE, can you do a PR to the original source and/or make a release?

Please sign in to comment.