diff --git a/Documentation/PHPExcel User Documentation - Reading Spreadsheet Files.doc b/Documentation/PHPExcel User Documentation - Reading Spreadsheet Files.doc index d1dde477..c1dc2b55 100644 Binary files a/Documentation/PHPExcel User Documentation - Reading Spreadsheet Files.doc and b/Documentation/PHPExcel User Documentation - Reading Spreadsheet Files.doc differ diff --git a/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md b/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md new file mode 100644 index 00000000..ee964643 --- /dev/null +++ b/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md @@ -0,0 +1,22 @@ +# PHPExcel User Documentation – Reading Spreadsheet Files + + +## Security + +XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to: + + - Disclosure whether a file is existent + - Server Side Request Forgery + - Command Execution (depending on the installed PHP wrappers) + + +To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default. + + +Should you ever need to change these settings, the following method is available through the PHPExcel_Settings: + +``` +PHPExcel_Settings::setLibXmlLoaderOptions(); +``` + +Allowing you to specify the XML loader settings that you want to use instead. diff --git a/Documentation/markdown/ReadingSpreadsheetFiles/02-Loading-a-Spreadsheet.md b/Documentation/markdown/ReadingSpreadsheetFiles/03-Loading-a-Spreadsheet.md similarity index 100% rename from Documentation/markdown/ReadingSpreadsheetFiles/02-Loading-a-Spreadsheet.md rename to Documentation/markdown/ReadingSpreadsheetFiles/03-Loading-a-Spreadsheet.md diff --git a/Documentation/markdown/ReadingSpreadsheetFiles/03-Loading-with-a-Reader.md b/Documentation/markdown/ReadingSpreadsheetFiles/04-Loading-with-a-Reader.md similarity index 100% rename from Documentation/markdown/ReadingSpreadsheetFiles/03-Loading-with-a-Reader.md rename to Documentation/markdown/ReadingSpreadsheetFiles/04-Loading-with-a-Reader.md diff --git a/Documentation/markdown/ReadingSpreadsheetFiles/04-Reader-Options.md b/Documentation/markdown/ReadingSpreadsheetFiles/07-Reader-Options.md similarity index 100% rename from Documentation/markdown/ReadingSpreadsheetFiles/04-Reader-Options.md rename to Documentation/markdown/ReadingSpreadsheetFiles/07-Reader-Options.md diff --git a/changelog.txt b/changelog.txt index 2029aee3..7ad3b0e2 100644 --- a/changelog.txt +++ b/changelog.txt @@ -62,6 +62,8 @@ Fixed in develop branch for release v1.8.0: - General: (adamriyadi) Work Item GH-247 - Modify PHPExcel_Reader_Excel2007 to use zipClass from PHPExcel_Settings::getZipClass() This allows the use of PCLZip when reading for people that don't have access to ZipArchive - General: (infojunkie) Work Item GH-276 - Convert properties to string in OOCalc reader +- Security: (maartenba) Work Item GH-322 - Disable libxml external entity loading by default. + This is to prevent XML External Entity Processing (XXE) injection attacks (see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html for an explanation of XXE injection). Fixed in develop branch for release v1.7.9: