Permalink
Browse files

Updated documentation for XXE injection in readers

  • Loading branch information...
1 parent e04bf7e commit c243bcb8ad2911cdbd0c272b284a516b444e606a @MarkBaker MarkBaker committed Feb 21, 2014
@@ -0,0 +1,22 @@
+# PHPExcel User Documentation – Reading Spreadsheet Files
+
+
+## Security
+
+XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:
+
+ - Disclosure whether a file is existent
+ - Server Side Request Forgery
+ - Command Execution (depending on the installed PHP wrappers)
+
+
+To prevent this, PHPExcel sets the LIBXML_DTDLOAD and LIBXML_DTDATTR settings for the XML Readers by default.
+
+
+Should you ever need to change these settings, the following method is available through the PHPExcel_Settings:
+
+```
+PHPExcel_Settings::setLibXmlLoaderOptions();
+```
+
+Allowing you to specify the XML loader settings that you want to use instead.
View
@@ -62,6 +62,8 @@ Fixed in develop branch for release v1.8.0:
- General: (adamriyadi) Work Item GH-247 - Modify PHPExcel_Reader_Excel2007 to use zipClass from PHPExcel_Settings::getZipClass()
This allows the use of PCLZip when reading for people that don't have access to ZipArchive
- General: (infojunkie) Work Item GH-276 - Convert properties to string in OOCalc reader
+- Security: (maartenba) Work Item GH-322 - Disable libxml external entity loading by default.
+ This is to prevent XML External Entity Processing (XXE) injection attacks (see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html for an explanation of XXE injection).
Fixed in develop branch for release v1.7.9:

0 comments on commit c243bcb

Please sign in to comment.