diff --git a/src/main/java/org/codelibs/fess/helper/PluginHelper.java b/src/main/java/org/codelibs/fess/helper/PluginHelper.java
index 0e2aeec22c28e5a926b656065a00921f044cbfde..02329e45e74f0737116b1dfb8ebf007d9f8353b0 100644
--- a/src/main/java/org/codelibs/fess/helper/PluginHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/PluginHelper.java
@@ -35,6 +35,7 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -123,6 +124,8 @@ public class PluginHelper {
try (final InputStream is = new ByteArrayInputStream(pluginMetaContent.getBytes(Constants.UTF_8_CHARSET))) {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(Constants.FEATURE_SECURE_PROCESSING, true);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtil.EMPTY);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtil.EMPTY);
final DocumentBuilder builder = factory.newDocumentBuilder();
final Document document = builder.parse(is);
final NodeList nodeList = document.getElementsByTagName("version");
diff --git a/src/main/java/org/codelibs/fess/helper/ThemeHelper.java b/src/main/java/org/codelibs/fess/helper/ThemeHelper.java
index 05e031860418dc2995a1f4bbc3dd5b789d951dab..f5efdc8459eabcdd46737f25692da45f391425e9 100644
--- a/src/main/java/org/codelibs/fess/helper/ThemeHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/ThemeHelper.java
@@ -28,6 +28,7 @@ import java.util.zip.ZipInputStream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.codelibs.core.lang.StringUtil;
+import org.codelibs.core.stream.StreamUtil;
import org.codelibs.fess.exception.ThemeException;
import org.codelibs.fess.helper.PluginHelper.Artifact;
import org.codelibs.fess.helper.PluginHelper.ArtifactType;
@@ -46,7 +47,8 @@ public class ThemeHelper {
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
if (!entry.isDirectory()) {
- final String[] names = entry.getName().split("/");
+ final String[] names = StreamUtil.split(entry.getName(), "/")
+ .get(stream -> stream.filter(s -> !"..".equals(s)).toArray(n -> new String[n]));
if (names.length < 2) {
continue;
}
diff --git a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
index b16ed7fe27b342320f01798503cb8f0290702e9e..003df095975f7f71857c78e28d9bf2677a27ac91 100644
--- a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
@@ -101,7 +101,7 @@ public class UserInfoHelper {
public void deleteUserCodeFromCookie(final HttpServletRequest request) {
final String cookieValue = getUserCodeFromCookie(request);
if (cookieValue != null) {
- updateCookie(cookieValue, 0);
+ updateCookie(StringUtil.EMPTY, 0);
}
}
diff --git a/src/main/java/org/codelibs/fess/util/GsaConfigParser.java b/src/main/java/org/codelibs/fess/util/GsaConfigParser.java
index 641a991f31a1b3f402004d600bf2ccb9c9ee78cb..40e0477e5928662a9e7fdaac4f0a84149a03226c 100644
--- a/src/main/java/org/codelibs/fess/util/GsaConfigParser.java
+++ b/src/main/java/org/codelibs/fess/util/GsaConfigParser.java
@@ -26,6 +26,7 @@ import java.util.Map;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
+import javax.xml.XMLConstants;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -92,6 +93,8 @@ public class GsaConfigParser extends DefaultHandler {
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(org.codelibs.fess.crawler.Constants.FEATURE_SECURE_PROCESSING, true);
final SAXParser parser = factory.newSAXParser();
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtil.EMPTY);
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtil.EMPTY);
parser.parse(is, this);
} catch (final Exception e) {
throw new GsaConfigException("Failed to parse XML file.", e);