From bc7028ae4e72643a6feae86325ba44fc14364484 Mon Sep 17 00:00:00 2001
From: MarkBaker <mark@lange.demon.co.uk>
Date: Wed, 29 Apr 2015 22:23:14 +0100
Subject: [PATCH] Modified XEE security scan to handle UTF-16 charset, and
 added unit tests for the security scan

---
 Classes/PHPExcel/Reader/Abstract.php          |   3 +-
 .../PHPExcel/Reader/XEEValidatorTest.php      |  55 ++++++++++++++++++
 .../Reader/XEETestInvalidUTF-16.xml           | Bin 0 -> 276 bytes
 .../Reader/XEETestInvalidUTF-16BE.xml         | Bin 0 -> 278 bytes
 .../Reader/XEETestInvalidUTF-16LE.xml         | Bin 0 -> 278 bytes
 .../Reader/XEETestInvalidUTF-8.xml            |   8 +++
 .../rawTestData/Reader/XEETestValidUTF-16.xml | Bin 0 -> 176 bytes
 .../Reader/XEETestValidUTF-16BE.xml           | Bin 0 -> 178 bytes
 .../Reader/XEETestValidUTF-16LE.xml           | Bin 0 -> 178 bytes
 .../rawTestData/Reader/XEETestValidUTF-8.xml  |   4 ++
 10 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 unitTests/Classes/PHPExcel/Reader/XEEValidatorTest.php
 create mode 100644 unitTests/rawTestData/Reader/XEETestInvalidUTF-16.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestInvalidUTF-16BE.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestInvalidUTF-16LE.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestInvalidUTF-8.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestValidUTF-16.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestValidUTF-16BE.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestValidUTF-16LE.xml
 create mode 100644 unitTests/rawTestData/Reader/XEETestValidUTF-8.xml

diff --git a/Classes/PHPExcel/Reader/Abstract.php b/Classes/PHPExcel/Reader/Abstract.php
index fdbd2669..0036dff9 100644
--- a/Classes/PHPExcel/Reader/Abstract.php
+++ b/Classes/PHPExcel/Reader/Abstract.php
@@ -235,7 +235,8 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader
 	 */
 	public function securityScan($xml)
 	{
-        if (strpos($xml, '<!ENTITY') !== false) { 
+        $pattern = '/\0?<\0?!\0?E\0?N\0?T\0?I\0?T\0?Y\0?/';
+        if (preg_match($pattern, $xml)) { 
             throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
         }
         return $xml;
diff --git a/unitTests/Classes/PHPExcel/Reader/XEEValidatorTest.php b/unitTests/Classes/PHPExcel/Reader/XEEValidatorTest.php
new file mode 100644
index 00000000..f635dbb8
--- /dev/null
+++ b/unitTests/Classes/PHPExcel/Reader/XEEValidatorTest.php
@@ -0,0 +1,55 @@
+<?php
+
+
+class XEEValidatorTest extends PHPUnit_Framework_TestCase
+{
+
+    public function setUp()
+    {
+        if (!defined('PHPEXCEL_ROOT')) {
+            define('PHPEXCEL_ROOT', APPLICATION_PATH . '/');
+        }
+        require_once(PHPEXCEL_ROOT . 'PHPExcel/Autoloader.php');
+	}
+
+    /**
+     * @dataProvider providerInvalidXML
+     * @expectedException PHPExcel_Reader_Exception
+     */
+	public function testInvalidXML($filename)
+	{
+        $reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
+        $expectedResult = 'FAILURE: Should throw an Exception rather than return a value';
+		$result = $reader->securityScanFile($filename);
+		$this->assertEquals($expectedResult, $result);
+	}
+
+    public function providerInvalidXML()
+    {
+        $tests = [];
+        foreach(glob('rawTestData/Reader/XEETestInvalid*.xml') as $file) {
+            $tests[] = [realpath($file), true];
+        }
+        return $tests;
+	}
+
+    /**
+     * @dataProvider providerValidXML
+     */
+	public function testValidXML($filename, $expectedResult)
+	{
+        $reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
+		$result = $reader->securityScanFile($filename);
+		$this->assertEquals($expectedResult, $result);
+	}
+
+    public function providerValidXML()
+    {
+        $tests = [];
+        foreach(glob('rawTestData/Reader/XEETestValid*.xml') as $file) {
+            $tests[] = [realpath($file), file_get_contents($file)];
+        }
+        return $tests;
+	}
+
+}
diff --git a/unitTests/rawTestData/Reader/XEETestInvalidUTF-16.xml b/unitTests/rawTestData/Reader/XEETestInvalidUTF-16.xml
new file mode 100644
index 0000000000000000000000000000000000000000..94eaedfc2aec6c1eb2e723c914acf0afcdbbfd65
GIT binary patch
literal 276
zcmX|*O%K697=)iIiT|*A5Dut|gO57+NL-NMAmSj}h@{#?MfmfW?v`w_?`G$jnfLu+
zz=$VTVhj%=Ze(0YNf_eMp@pw$q$Hg5A4*L)TXoBZ8BI}L%VgX+N)2_#HY2j!OYTg>
zh=2-Zbyk_MWGw%V6;tKk#HaEb_Lebvxs%gV7Gmd?H`>>i<|!j(t?5z^#dHn7Jg1eE
VobPa_Cug0S&FIr8_G$n7gD--qCxrk2

literal 0
HcmV?d00001

diff --git a/unitTests/rawTestData/Reader/XEETestInvalidUTF-16BE.xml b/unitTests/rawTestData/Reader/XEETestInvalidUTF-16BE.xml
new file mode 100644
index 0000000000000000000000000000000000000000..1d186ff443435bec745501c2d7bfc81271e4c3c5
GIT binary patch
literal 278
zcmX|*!4APd6h+UL#6JuRVS(CMP;G)rY>;3fVj<dyq}oIq;qTo}OD35&nS0)O4;P;|
z4`K{2BA#U2NlBQ}Vn`oH)hJ20>OWMPaI@)wJxh9`M$8B-myvT35$cYuC$j8EhD?Ny
zM}s;pO%`mJ%W-6@Zll?$POjI<GDffR6m-B^?8@>+J3Go+a-{53OY6C+<%FNF%xW?h
UJLHVj*`aM66S~ztga3T*3-^U44*&oF

literal 0
HcmV?d00001

diff --git a/unitTests/rawTestData/Reader/XEETestInvalidUTF-16LE.xml b/unitTests/rawTestData/Reader/XEETestInvalidUTF-16LE.xml
new file mode 100644
index 0000000000000000000000000000000000000000..c3913f71bb84e44fb3659848c69c0434945a2642
GIT binary patch
literal 278
zcmX|*!4APd6h+UL#6JuRVS(CMQ0;<BB!UDB5ev~qB-JL`2!HQ(S~AJJ$=vhKdoDh2
z9>f@4L_Ep3laer{#gIOZs!@_~)qkio;bzkVdlvLWjaU&_E+gk6BGesQPh{DT44DWY
zj|O#In#|cSljF!%-A1!hom{VzWsF|sDd>Q;*rnx-c6OAt<Ve}6mezAs%LzYUnbl-2
UcE}m4vqRfDCUmQP2LJgUUnQ<482|tP

literal 0
HcmV?d00001

diff --git a/unitTests/rawTestData/Reader/XEETestInvalidUTF-8.xml b/unitTests/rawTestData/Reader/XEETestInvalidUTF-8.xml
new file mode 100644
index 00000000..212003fd
--- /dev/null
+++ b/unitTests/rawTestData/Reader/XEETestInvalidUTF-8.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!DOCTYPE root [
+     <!ENTITY x0 "DoS">
+]>
+
+<root>
+	test: (&x0;)
+</root>
\ No newline at end of file
diff --git a/unitTests/rawTestData/Reader/XEETestValidUTF-16.xml b/unitTests/rawTestData/Reader/XEETestValidUTF-16.xml
new file mode 100644
index 0000000000000000000000000000000000000000..6473fe6b6382c7f6993f3c9f0187bd0636613a98
GIT binary patch
literal 176
zcmYL?I}U<S5JgWbiF+XSfHoF}Psa+--T*Nq@JM)s$mZ4SP|(cpoSFH2Nhx?U&=a!I
zGU4eMab%ph5OY=zMI5!}ji}>g^iD-dB<pI9XXYu|DE4-vHE-3nmr;;&B+$=Ebd<gI
U2UUM#=B7^%+wOE_bCccv0lPUJ1^@s6

literal 0
HcmV?d00001

diff --git a/unitTests/rawTestData/Reader/XEETestValidUTF-16BE.xml b/unitTests/rawTestData/Reader/XEETestValidUTF-16BE.xml
new file mode 100644
index 0000000000000000000000000000000000000000..677e712f99d0619ab707c616cfc7789095e37ee7
GIT binary patch
literal 178
zcmYL?%?g505QV?3f$t#gQ`@u%OAz!4ti7a!U{~l~BH!NA6vV*%oo~)iQ1a%%M8b=K
zC!UcR$B8X_QgYQqisPnzFV%53^+HR-PSk;l+Bi?36VWSA<}(<($ia&!ITN#?(5G1u
VesiSmLj;cccD3tKE?+kL(<{O}8;}41

literal 0
HcmV?d00001

diff --git a/unitTests/rawTestData/Reader/XEETestValidUTF-16LE.xml b/unitTests/rawTestData/Reader/XEETestValidUTF-16LE.xml
new file mode 100644
index 0000000000000000000000000000000000000000..64353bfbab10e9caa40b2910d956468a7161ed40
GIT binary patch
literal 178
zcmYj~O$&lh5Jk_{!2claQ`@u%%ayKNT6;+e!Jg22ME-kkQ;QgwuY2ZBLCKp36A3Q{
zo_I!P94EHyNy$|cDUO@=y;R5D)C(;&J5dK3D&stXPDHOfna^PCA_p&`<V?(lLZ4<u
W_|1{J4-q)(+tsc|xqR8|k6r=c?;Dx`

literal 0
HcmV?d00001

diff --git a/unitTests/rawTestData/Reader/XEETestValidUTF-8.xml b/unitTests/rawTestData/Reader/XEETestValidUTF-8.xml
new file mode 100644
index 00000000..c400ae88
--- /dev/null
+++ b/unitTests/rawTestData/Reader/XEETestValidUTF-8.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<root>
+	test: Valid
+</root>
\ No newline at end of file