From 0787e56d41c1279faf2d0e4592d92d74a3f9502f Mon Sep 17 00:00:00 2001 From: Yves Maerschalck Date: Wed, 16 Jul 2014 09:28:33 +0200 Subject: [PATCH] XML External Entity (XXE) Processing https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing change simplexml_load_file to simplexml_load_string(file_get_contents()) because load_file doesn't work when http://php.net/manual/en/function.libxml-disable-entity-loader.php is true --- Classes/PHPExcel/Reader/Excel2003XML.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Classes/PHPExcel/Reader/Excel2003XML.php b/Classes/PHPExcel/Reader/Excel2003XML.php index 17472d0..6f3a4ef 100644 --- a/Classes/PHPExcel/Reader/Excel2003XML.php +++ b/Classes/PHPExcel/Reader/Excel2003XML.php @@ -137,7 +137,7 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P $worksheetNames = array(); - $xml = simplexml_load_file($pFilename, 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); + $xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); $namespaces = $xml->getNamespaces(true); $xml_ss = $xml->children($namespaces['ss']); @@ -165,7 +165,7 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P $worksheetInfo = array(); - $xml = simplexml_load_file($pFilename, 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); + $xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); $namespaces = $xml->getNamespaces(true); $worksheetID = 1; @@ -330,7 +330,7 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P throw new PHPExcel_Reader_Exception($pFilename . " is an Invalid Spreadsheet file."); } - $xml = simplexml_load_file($pFilename, 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); + $xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions()); $namespaces = $xml->getNamespaces(true); $docProps = $objPHPExcel->getProperties();