RetailCRM-Mirror/PHPExcel
1
0
Fork 0
mirror of https://github.com/retailcrm/PHPExcel.git synced 2024-11-23 22:06:07 +03:00
Code Issues Projects Releases Wiki Activity
1abf061df3
PHPExcel/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md
Mark Baker 98205e5ec7 Warning in security docs
2014-02-21 09:56:57 +00:00

25 lines
1.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# PHPExcel User Documentation Reading Spreadsheet Files
## Security
XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:
- Disclosure whether a file is existent
- Server Side Request Forgery
- Command Execution (depending on the installed PHP wrappers)
To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default.
Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:
```
PHPExcel_Settings::setLibXmlLoaderOptions();
```
Allowing you to specify the XML loader settings that those that you want to use instead.
> While PHPExcel protects you with its default settings, if you do change these settings yourself, then you're responsible for ensuring that your XML-based formats aren't open to XXE injection.
Reference in New Issue View Git Blame Copy Permalink