From 2b601574975acfb9d4378a788ed5f2b747958095 Mon Sep 17 00:00:00 2001 From: MarkBaker Date: Thu, 22 Nov 2018 23:50:50 +0100 Subject: [PATCH] Fix and improve XXE security scanning for XML-based Readers --- Classes/PHPExcel/Reader/Abstract.php | 12 ++++++++++++ changelog.txt | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Classes/PHPExcel/Reader/Abstract.php b/Classes/PHPExcel/Reader/Abstract.php index 189c70a..deeb75a 100644 --- a/Classes/PHPExcel/Reader/Abstract.php +++ b/Classes/PHPExcel/Reader/Abstract.php @@ -269,6 +269,18 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader */ public function securityScan($xml) { + $pattern = '/encoding="(.*?)"/'; + $result = preg_match($pattern, $xml, $matches); + if ($result) { + $charset = $matches[1]; + } else { + $charset = 'UTF-8'; + } + + if ($charset !== 'UTF-8') { + $xml = mb_convert_encoding($xml, 'UTF-8', $charset); + } + $pattern = '/\\0?' . implode('\\0?', str_split('