From 1f6753d9d0f35a4a6612987fe8c6ea42ff166495 Mon Sep 17 00:00:00 2001
From: Jon Bratseth <bratseth@verizonmedia.com>
Date: Mon, 6 Jan 2020 21:06:26 +0100
Subject: Non-functional changes

---
 .../src/main/java/com/yahoo/config/application/Xml.java                  | 1 +
 1 file changed, 1 insertion(+)

(limited to 'config-application-package')

diff --git a/config-application-package/src/main/java/com/yahoo/config/application/Xml.java b/config-application-package/src/main/java/com/yahoo/config/application/Xml.java
index e28c5eac0bb..1cdb54a743c 100644
--- a/config-application-package/src/main/java/com/yahoo/config/application/Xml.java
+++ b/config-application-package/src/main/java/com/yahoo/config/application/Xml.java
@@ -68,6 +68,7 @@ public class Xml {
 
     static DocumentBuilder getPreprocessDocumentBuilder() throws ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // XXE prevention
         factory.setNamespaceAware(true);
         factory.setXIncludeAware(false);
         factory.setValidating(false);
-- 
cgit v1.2.3