Fix and improve XXE security scanning for XML-based Readers

MarkBaker · MarkBaker · commit 2b601574975a · 2018-11-22T23:50:50.000+01:00
diff --git a/Classes/PHPExcel/Reader/Abstract.php b/Classes/PHPExcel/Reader/Abstract.php
@@ -269,6 +269,18 @@ public function canRead($pFilename)
      */
     public function securityScan($xml)
     {
+        $pattern = '/encoding="(.*?)"/';
+        $result = preg_match($pattern, $xml, $matches);
+        if ($result) {
+            $charset = $matches[1];
+        } else {
+            $charset = 'UTF-8';
+        }
+
+        if ($charset !== 'UTF-8') {
+            $xml = mb_convert_encoding($xml, 'UTF-8', $charset);
+        }
+
         $pattern = '/\\0?' . implode('\\0?', str_split('<!DOCTYPE')) . '\\0?/';
         if (preg_match($pattern, $xml)) {
             throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
diff --git a/changelog.txt b/changelog.txt
@@ -23,7 +23,8 @@
 **************************************************************************************
 
 
-Planned for 1.8.2
+2018-11-22 (v1.8.2):
+- Security  (MBaker)                            - Fix and improve XXE security scanning for XML-based Readers
 - Bugfix:   (MBaker)                            - Fix to getCell() method when cell reference includes a worksheet reference
 - Bugfix:   (ncrypthic)       Work Item GH-570  - Ignore inlineStr type if formula element exists
 - Bugfix:   (hernst42)        Work Item GH-709  - Fixed missing renames of writeRelationShip (from _writeRelationShip)
