diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/FeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/FeedFetcher.java index 05f0868..4425101 100644 --- a/rome-fetcher/src/main/java/com/rometools/fetcher/FeedFetcher.java +++ b/rome-fetcher/src/main/java/com/rometools/fetcher/FeedFetcher.java @@ -117,4 +117,15 @@ public interface FeedFetcher { * corresponding wireEntry property set. */ void setPreserveWireFeed(boolean preserveWireFeed); + + /** + * In ROME 1.5.1 we fixed a security vulnerability by disallowing Doctype declarations by default. + * This change breaks the compatibility with at least RSS 0.91N because it requires a Doctype declaration. + * You are able to allow Doctype declarations again with this property. You should only activate it + * when the feeds that you process are absolutely trustful. + * + * @param allowDoctypes true when Doctype declarations should be allowed again, false otherwise + */ + void setAllowDoctypes(boolean allowDoctypes); + } diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/AbstractFeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/AbstractFeedFetcher.java index 15f07ac..fc3dce5 100644 --- a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/AbstractFeedFetcher.java +++ b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/AbstractFeedFetcher.java @@ -42,6 +42,7 @@ public abstract class AbstractFeedFetcher implements FeedFetcher { private String userAgent; private boolean usingDeltaEncoding; private boolean preserveWireFeed; + private boolean allowDoctypes = false; public AbstractFeedFetcher() { @@ -222,4 +223,13 @@ public abstract class AbstractFeedFetcher implements FeedFetcher { this.preserveWireFeed = preserveWireFeed; } + public boolean isAllowDoctypes() { + return allowDoctypes; + } + + @Override + public void setAllowDoctypes(boolean allowDoctypes) { + this.allowDoctypes = allowDoctypes; + } + } diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpClientFeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpClientFeedFetcher.java index c15833f..3c0b55a 100644 --- a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpClientFeedFetcher.java +++ b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpClientFeedFetcher.java @@ -275,6 +275,7 @@ public class HttpClientFeedFetcher extends AbstractFeedFetcher { final SyndFeedInput syndFeedInput = new SyndFeedInput(); syndFeedInput.setPreserveWireFeed(isPreserveWireFeed()); + syndFeedInput.setAllowDoctypes(isAllowDoctypes()); return syndFeedInput.build(reader); diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpURLFeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpURLFeedFetcher.java index 70a8863..106852f 100644 --- a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpURLFeedFetcher.java +++ b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpURLFeedFetcher.java @@ -280,11 +280,6 @@ public class HttpURLFeedFetcher extends AbstractFeedFetcher { is = new BufferedInputStream(inputStream); } - // InputStreamReader reader = new InputStreamReader(is, - // ResponseHandler.getCharacterEncoding(connection)); - - // SyndFeedInput input = new SyndFeedInput(); - final XmlReader reader; if (connection.getHeaderField("Content-Type") != null) { reader = new XmlReader(is, connection.getHeaderField("Content-Type"), true); @@ -294,6 +289,7 @@ public class HttpURLFeedFetcher extends AbstractFeedFetcher { final SyndFeedInput syndFeedInput = new SyndFeedInput(); syndFeedInput.setPreserveWireFeed(isPreserveWireFeed()); + syndFeedInput.setAllowDoctypes(isAllowDoctypes()); return syndFeedInput.build(reader);