Modified XEE security scan to handle UTF-16 charset, and added unit tests for the security scan
This commit is contained in:
MarkBaker
parent
0ab614fd95
commit
bc7028ae4e
|
|
@ -235,7 +235,8 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader
|
|||
*/
|
||||
public function securityScan($xml)
|
||||
{
|
||||
if (strpos($xml, '<!ENTITY') !== false) {
|
||||
$pattern = '/\0?<\0?!\0?E\0?N\0?T\0?I\0?T\0?Y\0?/';
|
||||
if (preg_match($pattern, $xml)) {
|
||||
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||
}
|
||||
return $xml;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,55 @@
|
|||
<?php
|
||||
|
||||
|
||||
class XEEValidatorTest extends PHPUnit_Framework_TestCase
|
||||
{
|
||||
|
||||
public function setUp()
|
||||
{
|
||||
if (!defined('PHPEXCEL_ROOT')) {
|
||||
define('PHPEXCEL_ROOT', APPLICATION_PATH . '/');
|
||||
}
|
||||
require_once(PHPEXCEL_ROOT . 'PHPExcel/Autoloader.php');
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider providerInvalidXML
|
||||
* @expectedException PHPExcel_Reader_Exception
|
||||
*/
|
||||
public function testInvalidXML($filename)
|
||||
{
|
||||
$reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
|
||||
$expectedResult = 'FAILURE: Should throw an Exception rather than return a value';
|
||||
$result = $reader->securityScanFile($filename);
|
||||
$this->assertEquals($expectedResult, $result);
|
||||
}
|
||||
|
||||
public function providerInvalidXML()
|
||||
{
|
||||
$tests = [];
|
||||
foreach(glob('rawTestData/Reader/XEETestInvalid*.xml') as $file) {
|
||||
$tests[] = [realpath($file), true];
|
||||
}
|
||||
return $tests;
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider providerValidXML
|
||||
*/
|
||||
public function testValidXML($filename, $expectedResult)
|
||||
{
|
||||
$reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
|
||||
$result = $reader->securityScanFile($filename);
|
||||
$this->assertEquals($expectedResult, $result);
|
||||
}
|
||||
|
||||
public function providerValidXML()
|
||||
{
|
||||
$tests = [];
|
||||
foreach(glob('rawTestData/Reader/XEETestValid*.xml') as $file) {
|
||||
$tests[] = [realpath($file), file_get_contents($file)];
|
||||
}
|
||||
return $tests;
|
||||
}
|
||||
|
||||
}
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<!DOCTYPE root [
|
||||
<!ENTITY x0 "DoS">
|
||||
]>
|
||||
|
||||
<root>
|
||||
test: (&x0;)
|
||||
</root>
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,4 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<root>
|
||||
test: Valid
|
||||
</root>
|
||||
Loading…
Reference in New Issue