RetailCRM-Mirror/PHPExcel
1
0
Fork 0
mirror of https://github.com/retailcrm/PHPExcel.git synced 2024-11-23 05:46:06 +03:00
Code Issues Projects Releases Wiki Activity
c243bcb8ad
PHPExcel/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md

869 B
Raw Blame History

PHPExcel User Documentation Reading Spreadsheet Files

Security

XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:

  • Disclosure whether a file is existent
  • Server Side Request Forgery
  • Command Execution (depending on the installed PHP wrappers)

To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default.

Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:

PHPExcel_Settings::setLibXmlLoaderOptions();

Allowing you to specify the XML loader settings that you want to use instead.