mirror of
https://github.com/retailcrm/PHPExcel.git
synced 2024-11-23 13:56:05 +03:00
23 lines
869 B
Markdown
23 lines
869 B
Markdown
|
# PHPExcel User Documentation – Reading Spreadsheet Files
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Security
|
|||
|
|
|
|||
|
|
XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:
|
|||
|
|
|
|||
|
|
- Disclosure whether a file is existent
|
|||
|
|
- Server Side Request Forgery
|
|||
|
|
- Command Execution (depending on the installed PHP wrappers)
|
|||
|
|
|
|||
|
|
|
|||
|
|
To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default.
|
|||
|
|
|
|||
|
|
|
|||
|
|
Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
PHPExcel_Settings::setLibXmlLoaderOptions();
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Allowing you to specify the XML loader settings that you want to use instead.
|