When libxmlloader options are teh default values, disable the entity loader as well. CVE-2014-2054 by MITRE

2014-02-21 11:06:44 +01:00 · 2014-02-21 11:06:44 +01:00 · fdc4532bc7
parent 1dad681142
commit fdc4532bc7
1 changed files with 3 additions and 2 deletions
--- a/Classes/PHPExcel/Settings.php
+++ b/Classes/PHPExcel/Settings.php
@ -366,6 +366,7 @@ class PHPExcel_Settings
        if (is_null($options)) {
            $options = LIBXML_DTDLOAD | LIBXML_DTDATTR;
        }
+        @libxml_disable_entity_loader($options == (LIBXML_DTDLOAD | LIBXML_DTDATTR)); 
        self::$_libXmlLoaderOptions = $options;
    } // function setLibXmlLoaderOptions

@ -378,8 +379,8 @@ class PHPExcel_Settings
    public static function getLibXmlLoaderOptions()
    {
        if (is_null(self::$_libXmlLoaderOptions)) {
-            self::$_libXmlLoaderOptions = LIBXML_DTDLOAD | LIBXML_DTDATTR;
+            self::setLibXmlLoaderOptions(LIBXML_DTDLOAD | LIBXML_DTDATTR);
        }
        return self::$_libXmlLoaderOptions;
    } // function getLibXmlLoaderOptions
-}
+}