rometools · mishako · Mar 3, 2016 · Mar 1, 2016
diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/FeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/FeedFetcher.java
@@ -117,4 +117,15 @@ public interface FeedFetcher {
      * corresponding wireEntry property set.
      */
     void setPreserveWireFeed(boolean preserveWireFeed);
+
+    /**
+     * In ROME 1.5.1 we fixed a security vulnerability by disallowing Doctype declarations by default. 
+     * This change breaks the compatibility with at least RSS 0.91N because it requires a Doctype declaration. 
+     * You are able to allow Doctype declarations again with this property. You should only activate it 
+     * when the feeds that you process are absolutely trustful. 
+     *  
+     * @param allowDoctypes true when Doctype declarations should be allowed again, false otherwise
+     */
+    void setAllowDoctypes(boolean allowDoctypes);
+
 }
diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/AbstractFeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/AbstractFeedFetcher.java
@@ -42,6 +42,7 @@ public abstract class AbstractFeedFetcher implements FeedFetcher {
     private String userAgent;
     private boolean usingDeltaEncoding;
     private boolean preserveWireFeed;
+    private boolean allowDoctypes = false;
 
     public AbstractFeedFetcher() {
 
@@ -222,4 +223,13 @@ public void setPreserveWireFeed(final boolean preserveWireFeed) {
         this.preserveWireFeed = preserveWireFeed;
     }
 
+    public boolean isAllowDoctypes() {
+        return allowDoctypes;
+    }
+
+    @Override
+    public void setAllowDoctypes(boolean allowDoctypes) {
+        this.allowDoctypes = allowDoctypes;
+    }
+
 }
diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpClientFeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpClientFeedFetcher.java
@@ -275,6 +275,7 @@ private SyndFeed retrieveFeed(final String urlStr, final HttpMethod method) thro
 
             final SyndFeedInput syndFeedInput = new SyndFeedInput();
             syndFeedInput.setPreserveWireFeed(isPreserveWireFeed());
+            syndFeedInput.setAllowDoctypes(isAllowDoctypes());
 
             return syndFeedInput.build(reader);
 

diff --git a/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpURLFeedFetcher.java b/rome-fetcher/src/main/java/com/rometools/fetcher/impl/HttpURLFeedFetcher.java
@@ -280,11 +280,6 @@ private SyndFeed readSyndFeedFromStream(final InputStream inputStream, final URL
             is = new BufferedInputStream(inputStream);
         }
 
-        // InputStreamReader reader = new InputStreamReader(is,
-        // ResponseHandler.getCharacterEncoding(connection));
-
-        // SyndFeedInput input = new SyndFeedInput();
-
         final XmlReader reader;
         if (connection.getHeaderField("Content-Type") != null) {
             reader = new XmlReader(is, connection.getHeaderField("Content-Type"), true);
@@ -294,6 +289,7 @@ private SyndFeed readSyndFeedFromStream(final InputStream inputStream, final URL
 
         final SyndFeedInput syndFeedInput = new SyndFeedInput();
         syndFeedInput.setPreserveWireFeed(isPreserveWireFeed());
+        syndFeedInput.setAllowDoctypes(isAllowDoctypes());
 
         return syndFeedInput.build(reader);