Security: XML filescan in XML-based Readers to prevent XML Entity Exp…

…ansion (XEE) (see http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion for an explanation of XEE injection) attacks
omcrn · Apr 28, 2015 · 0ab614f · 0ab614f
1 parent 72f3a3b
commit 0ab614f
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 53 deletions.
diff --git a/Classes/PHPExcel/Reader/Abstract.php b/Classes/PHPExcel/Reader/Abstract.php
@@ -227,4 +227,28 @@ public function canRead($pFilename)
 		return $readable;
 	}
 
+	/**
+	 * Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks
+	 *
+	 * @param 	string 		$xml
+	 * @throws PHPExcel_Reader_Exception
+	 */
+	public function securityScan($xml)
+	{
+        if (strpos($xml, '<!ENTITY') !== false) { 
+            throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
+        }
+        return $xml;
+    }
+
+	/**
+	 * Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks
+	 *
+	 * @param 	string 		$filestream
+	 * @throws PHPExcel_Reader_Exception
+	 */
+	public function securityScanFile($filestream)
+	{
+        return $this->securityScan(file_get_contents($filestream));
+    }
 }
diff --git a/Classes/PHPExcel/Reader/Excel2003XML.php b/Classes/PHPExcel/Reader/Excel2003XML.php
@@ -49,14 +49,14 @@ class PHPExcel_Reader_Excel2003XML extends PHPExcel_Reader_Abstract implements P
 	 *
 	 * @var array
 	 */
-	private $_styles = array();
+	protected $_styles = array();
 
 	/**
 	 * Character set used in the file
 	 *
 	 * @var string
 	 */
-	private $_charSet = 'UTF-8';
+	protected $_charSet = 'UTF-8';
 
 
 	/**
@@ -137,7 +137,7 @@ public function listWorksheetNames($pFilename)
 
 		$worksheetNames = array();
 
-		$xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
+		$xml = simplexml_load_string($this->securityScan(file_get_contents($pFilename)), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
 		$namespaces = $xml->getNamespaces(true);
 
 		$xml_ss = $xml->children($namespaces['ss']);
@@ -165,7 +165,7 @@ public function listWorksheetInfo($pFilename)
 
 		$worksheetInfo = array();
 
-		$xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
+		$xml = simplexml_load_string($this->securityScan(file_get_contents($pFilename)), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
 		$namespaces = $xml->getNamespaces(true);
 
 		$worksheetID = 1;
@@ -239,7 +239,7 @@ public function load($pFilename)
 	}
 
 
-	private static function identifyFixedStyleValue($styleList,&$styleAttributeValue) {
+	protected static function identifyFixedStyleValue($styleList,&$styleAttributeValue) {
 		$styleAttributeValue = strtolower($styleAttributeValue);
 		foreach($styleList as $style) {
 			if ($styleAttributeValue == strtolower($style)) {
@@ -256,7 +256,7 @@ private static function identifyFixedStyleValue($styleList,&$styleAttributeValue
  	 * @param pxs
  	 * @return
  	 */
- 	private static function _pixel2WidthUnits($pxs) {
+ 	protected static function _pixel2WidthUnits($pxs) {
 		$UNIT_OFFSET_MAP = array(0, 36, 73, 109, 146, 182, 219);
 
 		$widthUnits = 256 * ($pxs / 7);
@@ -270,15 +270,15 @@ private static function _pixel2WidthUnits($pxs) {
 	 * @param widthUnits
 	 * @return
 	 */
-	private static function _widthUnits2Pixel($widthUnits) {
+	protected static function _widthUnits2Pixel($widthUnits) {
 		$pixels = ($widthUnits / 256) * 7;
 		$offsetWidthUnits = $widthUnits % 256;
 		$pixels += round($offsetWidthUnits / (256 / 7));
 		return $pixels;
 	}
 
 
-	private static function _hex2str($hex) {
+	protected static function _hex2str($hex) {
 		return chr(hexdec($hex[1]));
 	}
 
@@ -331,7 +331,7 @@ public function loadIntoExisting($pFilename, PHPExcel $objPHPExcel)
 			throw new PHPExcel_Reader_Exception($pFilename . " is an Invalid Spreadsheet file.");
 		}
 
-		$xml = simplexml_load_string(file_get_contents($pFilename), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
+		$xml = simplexml_load_string($this->securityScan(file_get_contents($pFilename)), 'SimpleXMLElement', PHPExcel_Settings::getLibXmlLoaderOptions());
 		$namespaces = $xml->getNamespaces(true);
 
 		$docProps = $objPHPExcel->getProperties();
@@ -790,15 +790,15 @@ public function loadIntoExisting($pFilename, PHPExcel $objPHPExcel)
 	}
 
 
-	private static function _convertStringEncoding($string,$charset) {
+	protected static function _convertStringEncoding($string,$charset) {
 		if ($charset != 'UTF-8') {
 			return PHPExcel_Shared_String::ConvertEncoding($string,'UTF-8',$charset);
 		}
 		return $string;
 	}
 
 
-	private function _parseRichText($is = '') {
+	protected function _parseRichText($is = '') {
 		$value = new PHPExcel_RichText();
 
 		$value->createText(self::_convertStringEncoding($is,$this->_charSet));