Settings: deleted libxml_disable_entity_loader() calls (#113)
Settings: deleted libxml_disable_entity_loader() calls since they're not necessary. Prevent setLibXmlLoaderOptions() and getLibXmlLoaderOptions() to call the libxml_disable_entity_loader() function which alter the global state of libxml. See the discussion here https://github.com/PHPOffice/PhpSpreadsheet/issues/74
This commit is contained in:
		
							parent
							
								
									de57bf722c
								
							
						
					
					
						commit
						9767112b23
					
				| @ -12,8 +12,7 @@ spreadsheet files. This can lead to: | ||||
| -   Server Side Request Forgery | ||||
| -   Command Execution (depending on the installed PHP wrappers) | ||||
| 
 | ||||
| To prevent this, PhpSpreadsheet sets `libxml_disable_entity_loader` to | ||||
| `true` for the XML-based Readers by default. | ||||
| To prevent this, by default every XML-based Reader looks for XML entities declared inside the DOCTYPE and if any is found an exception is raised. | ||||
| 
 | ||||
| ## Loading a Spreadsheet File | ||||
| 
 | ||||
|  | ||||
| @ -237,7 +237,6 @@ class Settings | ||||
|         if (is_null($options) && defined('LIBXML_DTDLOAD')) { | ||||
|             $options = LIBXML_DTDLOAD | LIBXML_DTDATTR; | ||||
|         } | ||||
|         @libxml_disable_entity_loader((bool) $options); | ||||
|         self::$libXmlLoaderOptions = $options; | ||||
|     } | ||||
| 
 | ||||
| @ -254,7 +253,6 @@ class Settings | ||||
|         } elseif (is_null(self::$libXmlLoaderOptions)) { | ||||
|             self::$libXmlLoaderOptions = true; | ||||
|         } | ||||
|         @libxml_disable_entity_loader((bool) self::$libXmlLoaderOptions); | ||||
| 
 | ||||
|         return self::$libXmlLoaderOptions; | ||||
|     } | ||||
|  | ||||
| @ -4,14 +4,27 @@ namespace PhpOffice\PhpSpreadsheetTests; | ||||
| 
 | ||||
| class SettingsTest extends \PHPUnit_Framework_TestCase | ||||
| { | ||||
|     /** | ||||
|      * @var string | ||||
|      */ | ||||
|     protected $prevValue; | ||||
| 
 | ||||
|     public function setUp() | ||||
|     { | ||||
|         $this->prevValue = libxml_disable_entity_loader(); | ||||
|         libxml_disable_entity_loader(false); // Enable entity loader
 | ||||
|     } | ||||
| 
 | ||||
|     protected function tearDown() | ||||
|     { | ||||
|         libxml_disable_entity_loader($this->prevValue); | ||||
|     } | ||||
| 
 | ||||
|     public function testGetXMLSettings() | ||||
|     { | ||||
|         $result = \PhpOffice\PhpSpreadsheet\Settings::getLibXmlLoaderOptions(); | ||||
|         $this->assertTrue((bool) ((LIBXML_DTDLOAD | LIBXML_DTDATTR) & $result)); | ||||
|         $this->assertFalse(libxml_disable_entity_loader()); | ||||
|     } | ||||
| 
 | ||||
|     public function testSetXMLSettings() | ||||
| @ -19,5 +32,6 @@ class SettingsTest extends \PHPUnit_Framework_TestCase | ||||
|         \PhpOffice\PhpSpreadsheet\Settings::setLibXmlLoaderOptions(LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_DTDVALID); | ||||
|         $result = \PhpOffice\PhpSpreadsheet\Settings::getLibXmlLoaderOptions(); | ||||
|         $this->assertTrue((bool) ((LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_DTDVALID) & $result)); | ||||
|         $this->assertFalse(libxml_disable_entity_loader()); | ||||
|     } | ||||
| } | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Paolo Agostinetto
						Paolo Agostinetto