mirror of
https://github.com/retailcrm/PHPExcel.git
synced 2024-11-22 21:36:05 +03:00
Fix regexp for XEE validation
This commit is contained in:
parent
bc7028ae4e
commit
75bb9d7eda
@ -235,7 +235,7 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader
|
|||||||
*/
|
*/
|
||||||
public function securityScan($xml)
|
public function securityScan($xml)
|
||||||
{
|
{
|
||||||
$pattern = '/\0?<\0?!\0?E\0?N\0?T\0?I\0?T\0?Y\0?/';
|
$pattern = '/\\0?' . implode('\\0?', str_split('<!DOCTYPE')) . '\\0?/';
|
||||||
if (preg_match($pattern, $xml)) {
|
if (preg_match($pattern, $xml)) {
|
||||||
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||||
}
|
}
|
||||||
|
@ -515,5 +515,20 @@ class PHPExcel_Reader_HTML extends PHPExcel_Reader_Abstract implements PHPExcel_
|
|||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks
|
||||||
|
*
|
||||||
|
* @param string $xml
|
||||||
|
* @throws PHPExcel_Reader_Exception
|
||||||
|
*/
|
||||||
|
public function securityScan($xml)
|
||||||
|
{
|
||||||
|
$pattern = '/\\0?' . implode('\\0?', str_split('<!ENTITY')) . '\\0?/';
|
||||||
|
if (preg_match($pattern, $xml)) {
|
||||||
|
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||||
|
}
|
||||||
|
return $xml;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user