From fdc4532bc75426b7eb18643cae9aa92f09f37201 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Fri, 21 Feb 2014 11:06:44 +0100 Subject: [PATCH] When libxmlloader options are teh default values, disable the entity loader as well. CVE-2014-2054 by MITRE --- Classes/PHPExcel/Settings.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Classes/PHPExcel/Settings.php b/Classes/PHPExcel/Settings.php index 03e1a26..964146f 100644 --- a/Classes/PHPExcel/Settings.php +++ b/Classes/PHPExcel/Settings.php @@ -366,6 +366,7 @@ class PHPExcel_Settings if (is_null($options)) { $options = LIBXML_DTDLOAD | LIBXML_DTDATTR; } + @libxml_disable_entity_loader($options == (LIBXML_DTDLOAD | LIBXML_DTDATTR)); self::$_libXmlLoaderOptions = $options; } // function setLibXmlLoaderOptions @@ -378,8 +379,8 @@ class PHPExcel_Settings public static function getLibXmlLoaderOptions() { if (is_null(self::$_libXmlLoaderOptions)) { - self::$_libXmlLoaderOptions = LIBXML_DTDLOAD | LIBXML_DTDATTR; + self::setLibXmlLoaderOptions(LIBXML_DTDLOAD | LIBXML_DTDATTR); } return self::$_libXmlLoaderOptions; } // function getLibXmlLoaderOptions -} \ No newline at end of file +}