alex
/
PhpSpreadsheet
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

XML External Entity (XXE) Processing 

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

change simplexml_load_file to
simplexml_load_string(file_get_contents()) because load_file doesn't
work when
http://php.net/manual/en/function.libxml-disable-entity-loader.php is
true
This commit is contained in:
Yves Maerschalck 2014-07-16 09:28:33 +02:00
parent 87be8d3d8e
commit 0787e56d41
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Classes/PHPExcel/Reader/Excel2003XML.php
View File

@ -137,7 +137,7 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P
$worksheetNames = array(); $worksheetNames = array();
$xml = simplexml_load_file($pFilename, 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); $xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
$namespaces = $xml->getNamespaces(true); $namespaces = $xml->getNamespaces(true);
$xml_ss = $xml->children($namespaces['ss']); $xml_ss = $xml->children($namespaces['ss']);
@ -165,7 +165,7 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P
$worksheetInfo = array(); $worksheetInfo = array();
$xml = simplexml_load_file($pFilename, 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); $xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
$namespaces = $xml->getNamespaces(true); $namespaces = $xml->getNamespaces(true);
$worksheetID = 1; $worksheetID = 1;
@ -330,7 +330,7 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P
throw new PHPExcel_Reader_Exception($pFilename . " is an Invalid Spreadsheet file."); throw new PHPExcel_Reader_Exception($pFilename . " is an Invalid Spreadsheet file.");
} }
$xml = simplexml_load_file($pFilename, 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); $xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
$namespaces = $xml->getNamespaces(true); $namespaces = $xml->getNamespaces(true);
$docProps = $objPHPExcel->getProperties(); $docProps = $objPHPExcel->getProperties();