Clientbase
/
PHPWord
mirror of https://github.com/basemaster/PHPWord.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1427 from troosan/libxml_disable_entity_loader 

disable entity loader before parsing XML to avoid XXE injection
This commit is contained in:
troosan 2018-07-14 01:01:49 +02:00 committed by GitHub
parent 94cf1aecb6 4c4c6f43ca
commit cdc18522a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -37,6 +37,7 @@ v0.15.0 (?? ??? 2018)
- Fix parsing of Heading and Title formating @troosan @gthomas2 #465 - Fix parsing of Heading and Title formating @troosan @gthomas2 #465
- Fix Dateformat typo, fix hours casing, add Month-Day-Year formats @ComputerTinker #591 - Fix Dateformat typo, fix hours casing, add Month-Day-Year formats @ComputerTinker #591
- Fix missing column width in ODText writer @potofcoffee #413 - Fix missing column width in ODText writer @potofcoffee #413
- Disable entity loader before parsing XML to avoid XXE injection @Tom4t0 #1427
### Changed ### Changed
- Remove zend-stdlib dependency @Trainmaster #1284 - Remove zend-stdlib dependency @Trainmaster #1284

2
composer.json
View File

@ -66,7 +66,7 @@
"require-dev": { "require-dev": {
"ext-zip": "*", "ext-zip": "*",
"ext-gd": "*", "ext-gd": "*",
"phpunit/phpunit": "^4.8.36 || ^5.0", "phpunit/phpunit": "^4.8.36 || ^7.0",
"squizlabs/php_codesniffer": "^2.9", "squizlabs/php_codesniffer": "^2.9",
"friendsofphp/php-cs-fixer": "^2.2", "friendsofphp/php-cs-fixer": "^2.2",
"phpmd/phpmd": "2.*", "phpmd/phpmd": "2.*",

5
phpunit.xml.dist
View File

@ -6,8 +6,7 @@
convertNoticesToExceptions="true" convertNoticesToExceptions="true"
convertWarningsToExceptions="true" convertWarningsToExceptions="true"
processIsolation="false" processIsolation="false"
stopOnFailure="false" stopOnFailure="false">
syntaxCheck="false">
<testsuites> <testsuites>
<testsuite name="PhpWord Test Suite"> <testsuite name="PhpWord Test Suite">
<directory>./tests/PhpWord</directory> <directory>./tests/PhpWord</directory>
@ -22,7 +21,7 @@
</whitelist> </whitelist>
</filter> </filter>
<logging> <logging>
<log type="coverage-html" target="./build/coverage" charset="UTF-8" highlight="true" /> <log type="coverage-html" target="./build/coverage" />
<log type="coverage-clover" target="./build/logs/clover.xml" /> <log type="coverage-clover" target="./build/logs/clover.xml" />
</logging> </logging>
</phpunit> </phpunit>

1
src/PhpWord/Shared/Html.php
View File

@ -71,6 +71,7 @@ class Html
} }
// Load DOM // Load DOM
libxml_disable_entity_loader(true);
$dom = new \DOMDocument(); $dom = new \DOMDocument();
$dom->preserveWhiteSpace = $preserveWhiteSpace; $dom->preserveWhiteSpace = $preserveWhiteSpace;
$dom->loadXML($html); $dom->loadXML($html);

1
src/PhpWord/TemplateProcessor.php
View File

@ -113,6 +113,7 @@ class TemplateProcessor
*/ */
protected function transformSingleXml($xml, $xsltProcessor) protected function transformSingleXml($xml, $xsltProcessor)
{ {
libxml_disable_entity_loader(true);
$domDocument = new \DOMDocument(); $domDocument = new \DOMDocument();
if (false === $domDocument->loadXML($xml)) { if (false === $domDocument->loadXML($xml)) {
throw new Exception('Could not load the given XML document.'); throw new Exception('Could not load the given XML document.');

2
tests/PhpWord/_includes/XmlDocument.php
View File

@ -76,8 +76,10 @@ class XmlDocument
$this->file = $file; $this->file = $file;
$file = $this->path . '/' . $file; $file = $this->path . '/' . $file;
libxml_disable_entity_loader(false);
$this->dom = new \DOMDocument(); $this->dom = new \DOMDocument();
$this->dom->load($file); $this->dom->load($file);
libxml_disable_entity_loader(true);
return $this->dom; return $this->dom;
} }