From a6e9c8aff644f0cf5314c9f10e039c34cd350561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kornel=20Lesi=C5=84ski?= <kornel@geekhood.net>
Date: Tue, 19 Jan 2016 01:11:19 +0000
Subject: [PATCH] Prevent inclusion of local files via file:// XML entities

---
 Sparkle/SUAppcast.m | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Sparkle/SUAppcast.m b/Sparkle/SUAppcast.m
index dced1da792..42254148a1 100644
--- a/Sparkle/SUAppcast.m
+++ b/Sparkle/SUAppcast.m
@@ -102,7 +102,7 @@ - (void)downloadDidFinish:(NSURLDownload *)__unused aDownload
 	if (self.downloadFilename)
 	{
         NSUInteger options = 0;
-        options = NSXMLNodeLoadExternalEntitiesSameOriginOnly;
+        options = NSXMLNodeLoadExternalEntitiesNever; // Prevent inclusion from file://
         document = [[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:self.downloadFilename] options:options error:&error];
 
         [[NSFileManager defaultManager] removeItemAtPath:self.downloadFilename error:nil];