From e3527b98fdd8dc8179c24dc55e662b2c55199434 Mon Sep 17 00:00:00 2001
From: Vincent Massol <vincent@massol.net>
Date: Fri, 4 Nov 2022 11:15:42 +0100
Subject: [PATCH] XWIKI-20320: Disallow DOCTYPE in the XAR descriptor

---
 .../src/main/java/org/xwiki/xar/XarPackage.java                 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xwiki-platform-core/xwiki-platform-xar/xwiki-platform-xar-model/src/main/java/org/xwiki/xar/XarPackage.java b/xwiki-platform-core/xwiki-platform-xar/xwiki-platform-xar-model/src/main/java/org/xwiki/xar/XarPackage.java
index 340915084c6f..4fa3564fb43a 100644
--- a/xwiki-platform-core/xwiki-platform-xar/xwiki-platform-xar-model/src/main/java/org/xwiki/xar/XarPackage.java
+++ b/xwiki-platform-core/xwiki-platform-xar/xwiki-platform-xar-model/src/main/java/org/xwiki/xar/XarPackage.java
@@ -515,6 +515,8 @@ public void readDescriptor(InputStream stream) throws XarException, IOException
 
         DocumentBuilder dBuilder;
         try {
+            // Prevent XXE attack
+            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dBuilder = dbFactory.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
             throw new XarException("Failed to create a new Document builder", e);