Modified XEE security scan to handle UTF-16 charset, and added unit tests for the security scan
This commit is contained in:
MarkBaker
parent
0ab614fd95
commit
bc7028ae4e
|
|
@ -235,7 +235,8 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader
|
||||||
*/
|
*/
|
||||||
public function securityScan($xml)
|
public function securityScan($xml)
|
||||||
{
|
{
|
||||||
if (strpos($xml, '<!ENTITY') !== false) {
|
$pattern = '/\0?<\0?!\0?E\0?N\0?T\0?I\0?T\0?Y\0?/';
|
||||||
|
if (preg_match($pattern, $xml)) {
|
||||||
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||||
}
|
}
|
||||||
return $xml;
|
return $xml;
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,55 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
|
||||||
|
class XEEValidatorTest extends PHPUnit_Framework_TestCase
|
||||||
|
{
|
||||||
|
|
||||||
|
public function setUp()
|
||||||
|
{
|
||||||
|
if (!defined('PHPEXCEL_ROOT')) {
|
||||||
|
define('PHPEXCEL_ROOT', APPLICATION_PATH . '/');
|
||||||
|
}
|
||||||
|
require_once(PHPEXCEL_ROOT . 'PHPExcel/Autoloader.php');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider providerInvalidXML
|
||||||
|
* @expectedException PHPExcel_Reader_Exception
|
||||||
|
*/
|
||||||
|
public function testInvalidXML($filename)
|
||||||
|
{
|
||||||
|
$reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
|
||||||
|
$expectedResult = 'FAILURE: Should throw an Exception rather than return a value';
|
||||||
|
$result = $reader->securityScanFile($filename);
|
||||||
|
$this->assertEquals($expectedResult, $result);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function providerInvalidXML()
|
||||||
|
{
|
||||||
|
$tests = [];
|
||||||
|
foreach(glob('rawTestData/Reader/XEETestInvalid*.xml') as $file) {
|
||||||
|
$tests[] = [realpath($file), true];
|
||||||
|
}
|
||||||
|
return $tests;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider providerValidXML
|
||||||
|
*/
|
||||||
|
public function testValidXML($filename, $expectedResult)
|
||||||
|
{
|
||||||
|
$reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
|
||||||
|
$result = $reader->securityScanFile($filename);
|
||||||
|
$this->assertEquals($expectedResult, $result);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function providerValidXML()
|
||||||
|
{
|
||||||
|
$tests = [];
|
||||||
|
foreach(glob('rawTestData/Reader/XEETestValid*.xml') as $file) {
|
||||||
|
$tests[] = [realpath($file), file_get_contents($file)];
|
||||||
|
}
|
||||||
|
return $tests;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,8 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
|
<!DOCTYPE root [
|
||||||
|
<!ENTITY x0 "DoS">
|
||||||
|
]>
|
||||||
|
|
||||||
|
<root>
|
||||||
|
test: (&x0;)
|
||||||
|
</root>
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,4 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
|
<root>
|
||||||
|
test: Valid
|
||||||
|
</root>
|
||||||
Loading…
Reference in New Issue