From fdc4532bc75426b7eb18643cae9aa92f09f37201 Mon Sep 17 00:00:00 2001
From: Maarten Balliauw <maarten@maartenballiauw.be>
Date: Fri, 21 Feb 2014 11:06:44 +0100
Subject: [PATCH] When libxmlloader options are teh default values, disable the
 entity loader as well. CVE-2014-2054 by MITRE

---
 Classes/PHPExcel/Settings.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Classes/PHPExcel/Settings.php b/Classes/PHPExcel/Settings.php
index 03e1a264..964146fb 100644
--- a/Classes/PHPExcel/Settings.php
+++ b/Classes/PHPExcel/Settings.php
@@ -366,6 +366,7 @@ class PHPExcel_Settings
         if (is_null($options)) {
             $options = LIBXML_DTDLOAD | LIBXML_DTDATTR;
         }
+        @libxml_disable_entity_loader($options == (LIBXML_DTDLOAD | LIBXML_DTDATTR)); 
         self::$_libXmlLoaderOptions = $options;
     } // function setLibXmlLoaderOptions
 
@@ -378,8 +379,8 @@ class PHPExcel_Settings
     public static function getLibXmlLoaderOptions()
     {
         if (is_null(self::$_libXmlLoaderOptions)) {
-            self::$_libXmlLoaderOptions = LIBXML_DTDLOAD | LIBXML_DTDATTR;
+            self::setLibXmlLoaderOptions(LIBXML_DTDLOAD | LIBXML_DTDATTR);
         }
         return self::$_libXmlLoaderOptions;
     } // function getLibXmlLoaderOptions
-}
\ No newline at end of file
+}