mirror of
https://github.com/retailcrm/PHPExcel.git
synced 2024-11-25 23:06:03 +03:00
Fix regexp for XEE validation
This commit is contained in:
parent
bc7028ae4e
commit
75bb9d7eda
@ -235,7 +235,7 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader
|
||||
*/
|
||||
public function securityScan($xml)
|
||||
{
|
||||
$pattern = '/\0?<\0?!\0?E\0?N\0?T\0?I\0?T\0?Y\0?/';
|
||||
$pattern = '/\\0?' . implode('\\0?', str_split('<!DOCTYPE')) . '\\0?/';
|
||||
if (preg_match($pattern, $xml)) {
|
||||
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||
}
|
||||
|
@ -515,5 +515,20 @@ class PHPExcel_Reader_HTML extends PHPExcel_Reader_Abstract implements PHPExcel_
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks
|
||||
*
|
||||
* @param string $xml
|
||||
* @throws PHPExcel_Reader_Exception
|
||||
*/
|
||||
public function securityScan($xml)
|
||||
{
|
||||
$pattern = '/\\0?' . implode('\\0?', str_split('<!ENTITY')) . '\\0?/';
|
||||
if (preg_match($pattern, $xml)) {
|
||||
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||
}
|
||||
return $xml;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user