Non-functional changes

author: Jon Bratseth <bratseth@verizonmedia.com> 2020-01-06 21:06:26 +0100
committer: Jon Bratseth <bratseth@verizonmedia.com> 2020-01-06 21:06:26 +0100
commit: 1f6753d9d0f35a4a6612987fe8c6ea42ff166495 (patch)
tree: 0cfd3557a7400b7178b5dd6aa884d3407237d552 /config-application-package
parent: cc711b5a8fbc1a7a5897f8ee1761103fcb89e644 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/config-application-package/src/main/java/com/yahoo/config/application/Xml.java b/config-application-package/src/main/java/com/yahoo/config/application/Xml.java
index e28c5eac0bb..1cdb54a743c 100644
--- a/config-application-package/src/main/java/com/yahoo/config/application/Xml.java
+++ b/config-application-package/src/main/java/com/yahoo/config/application/Xml.java
@@ -68,6 +68,7 @@ public class Xml {
 
     static DocumentBuilder getPreprocessDocumentBuilder() throws ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // XXE prevention
         factory.setNamespaceAware(true);
         factory.setXIncludeAware(false);
         factory.setValidating(false);
author	Jon Bratseth <bratseth@verizonmedia.com>	2020-01-06 21:06:26 +0100
committer	Jon Bratseth <bratseth@verizonmedia.com>	2020-01-06 21:06:26 +0100
commit	1f6753d9d0f35a4a6612987fe8c6ea42ff166495 (patch)
tree	0cfd3557a7400b7178b5dd6aa884d3407237d552 /config-application-package
parent	cc711b5a8fbc1a7a5897f8ee1761103fcb89e644 (diff)