Updated documentation for XXE injection in readers
This commit is contained in:
parent
e04bf7ed09
commit
c243bcb8ad
Binary file not shown.
@ -0,0 +1,22 @@
|
||||
# PHPExcel User Documentation – Reading Spreadsheet Files
|
||||
|
||||
|
||||
## Security
|
||||
|
||||
XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:
|
||||
|
||||
- Disclosure whether a file is existent
|
||||
- Server Side Request Forgery
|
||||
- Command Execution (depending on the installed PHP wrappers)
|
||||
|
||||
|
||||
To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default.
|
||||
|
||||
|
||||
Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:
|
||||
|
||||
```
|
||||
PHPExcel_Settings::setLibXmlLoaderOptions();
|
||||
```
|
||||
|
||||
Allowing you to specify the XML loader settings that you want to use instead.
|
@ -62,6 +62,8 @@ Fixed in develop branch for release v1.8.0:
|
||||
- General: (adamriyadi) Work Item GH-247 - Modify PHPExcel_Reader_Excel2007 to use zipClass from PHPExcel_Settings::getZipClass()
|
||||
This allows the use of PCLZip when reading for people that don't have access to ZipArchive
|
||||
- General: (infojunkie) Work Item GH-276 - Convert properties to string in OOCalc reader
|
||||
- Security: (maartenba) Work Item GH-322 - Disable libxml external entity loading by default.
|
||||
This is to prevent XML External Entity Processing (XXE) injection attacks (see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html for an explanation of XXE injection).
|
||||
|
||||
|
||||
Fixed in develop branch for release v1.7.9:
|
||||
|
Loading…
Reference in New Issue
Block a user