Prevent inclusion of local files via file:// XML entities

sparkle-project · Jan 29, 2016 · a6e9c8a · a6e9c8a
1 parent 70f6929
commit a6e9c8a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Sparkle/SUAppcast.m b/Sparkle/SUAppcast.m
@@ -102,7 +102,7 @@ - (void)downloadDidFinish:(NSURLDownload *)__unused aDownload
 	if (self.downloadFilename)
 	{
         NSUInteger options = 0;
-        options = NSXMLNodeLoadExternalEntitiesSameOriginOnly;
+        options = NSXMLNodeLoadExternalEntitiesNever; // Prevent inclusion from file://
         document = [[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:self.downloadFilename] options:options error:&error];
 
         [[NSFileManager defaultManager] removeItemAtPath:self.downloadFilename error:nil];