mcndave/spout
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #58 from box/improve_xml_security

Browse Source 
Prevent entity loading when reading XML
This commit is contained in:
Adrien Loison 2015-07-01 14:19:49 -07:00
commit c6ebf115fc
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Spout/Reader/Helper/XLSX/SharedStringsHelper.php
View File

@ -112,7 +112,7 @@ class SharedStringsHelper
$escaper = new \Box\Spout\Common\Escaper\XLSX(); $escaper = new \Box\Spout\Common\Escaper\XLSX();
$sharedStringsFilePath = $this->getSharedStringsFilePath(); $sharedStringsFilePath = $this->getSharedStringsFilePath();
if ($xmlReader->open($sharedStringsFilePath, null, LIBXML_NONET) === false) { if ($xmlReader->open($sharedStringsFilePath, null, LIBXML_NOENT|LIBXML_NONET) === false) {
throw new IOException('Could not open "' . self::SHARED_STRINGS_XML_FILE_PATH . '".'); throw new IOException('Could not open "' . self::SHARED_STRINGS_XML_FILE_PATH . '".');
} }

2
src/Spout/Reader/XLSX.php
View File

@ -158,7 +158,7 @@ class XLSX extends AbstractReader
$worksheetDataXMLFilePath = $worksheet->getDataXmlFilePath(); $worksheetDataXMLFilePath = $worksheet->getDataXmlFilePath();
$worksheetDataFilePath = 'zip://' . $this->filePath . '#' . $worksheetDataXMLFilePath; $worksheetDataFilePath = 'zip://' . $this->filePath . '#' . $worksheetDataXMLFilePath;
if ($this->xmlReader->open($worksheetDataFilePath, null, LIBXML_NONET) === false) { if ($this->xmlReader->open($worksheetDataFilePath, null, LIBXML_NOENT|LIBXML_NONET) === false) {
throw new IOException('Could not open "' . $worksheetDataXMLFilePath . '".'); throw new IOException('Could not open "' . $worksheetDataXMLFilePath . '".');
} }
} }

2
tests/Spout/Reader/XLSXTest.php
View File

@ -250,7 +250,7 @@ class XLSXTest extends \PHPUnit_Framework_TestCase
{ {
$allRows = $this->getAllRowsForFile('billion_laughs_test_file.xlsx'); $allRows = $this->getAllRowsForFile('billion_laughs_test_file.xlsx');
$expectedMaxMemoryUsage = 20 * 1024 * 1024; // 20MB $expectedMaxMemoryUsage = 30 * 1024 * 1024; // 30MB
$this->assertLessThan($expectedMaxMemoryUsage, memory_get_peak_usage(true), 'Entities should not be expanded and therefore consume all the memory.'); $this->assertLessThan($expectedMaxMemoryUsage, memory_get_peak_usage(true), 'Entities should not be expanded and therefore consume all the memory.');
$expectedFirstRow = ['s1--A1', 's1--B1', 's1--C1', 's1--D1', 's1--E1']; $expectedFirstRow = ['s1--A1', 's1--B1', 's1--C1', 's1--D1', 's1--E1'];