1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
From: Markus Koschany <apo@debian.org>
Date: Tue, 25 Dec 2018 15:14:04 +0100
Subject: CVE-2018-20433
Bug-Debian: https://bugs.debian.org/917257
Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
---
src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
index 3878e89..4a75bd8 100644
--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
{
DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
+ fact.setExpandEntityReferences(false);
DocumentBuilder db = fact.newDocumentBuilder();
Document doc = db.parse( is );
|
