alex
/
PhpSpreadsheet
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't rely purely on libxml_disable_entity_loader()

This commit is contained in:
MarkBaker 2018-11-20 18:40:09 +01:00
parent 1f4cb1f19a
commit f02898e14d
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/PhpSpreadsheet/Reader/Security/XmlScanner.php
View File

@ -62,12 +62,11 @@ class XmlScanner
$xml = mb_convert_encoding($xml, 'UTF-8', $charset); $xml = mb_convert_encoding($xml, 'UTF-8', $charset);
} }
if (!$this->libxmlDisableEntityLoader) { // Don't rely purely on libxml_disable_entity_loader()
$pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/'; $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
if (preg_match($pattern, $xml)) { if (preg_match($pattern, $xml)) {
throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
} }
}
return $xml; return $xml;
} }