From d3c07344d345c6b8e003f765ce687f9faea25202 Mon Sep 17 00:00:00 2001
From: Holger Friedrich <holgerfriedrich@users.noreply.github.com>
Date: Tue, 29 Aug 2023 18:50:13 +0200
Subject: [PATCH] [dwdunwetter] Handle possible XXE injection (#15466)

XMLInputFactory: Disable properties IS_SUPPORTING_EXTERNAL_ENTITIES and
SUPPORT_DTD which allow injecting external entities.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
---
 .../binding/dwdunwetter/internal/dto/DwdWarningsData.java       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java b/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java
index 41ae77917f9..80a39e60667 100644
--- a/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java
+++ b/bundles/org.openhab.binding.dwdunwetter/src/main/java/org/openhab/binding/dwdunwetter/internal/dto/DwdWarningsData.java
@@ -119,6 +119,8 @@ public class DwdWarningsData {
 
         try {
             XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+            inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+            inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
             XMLStreamReader reader = inputFactory.createXMLStreamReader(new StringReader(rawData));
             XMLEventReader eventReader = inputFactory.createXMLEventReader(reader);
             DwdWarningData gemeindeData = new DwdWarningData();