Merge pull request #323 from maartenba/develop

When libxmlloader options are the default values, disable the entity loader as well. CVE-2014-2054 by MITRE

Classes/PHPExcel/Settings.php

@@ -366,6 +366,7 @@ class PHPExcel_Settings
         if (is_null($options)) {
             $options = LIBXML_DTDLOAD | LIBXML_DTDATTR;
         }
+        @libxml_disable_entity_loader($options == (LIBXML_DTDLOAD | LIBXML_DTDATTR)); 
         self::$_libXmlLoaderOptions = $options;
     } // function setLibXmlLoaderOptions
 
@@ -379,8 +380,8 @@ class PHPExcel_Settings
     {
         libxml_disable_entity_loader(true);
         if (is_null(self::$_libXmlLoaderOptions)) {
-            self::$_libXmlLoaderOptions = LIBXML_DTDLOAD | LIBXML_DTDATTR;
+            self::setLibXmlLoaderOptions(LIBXML_DTDLOAD | LIBXML_DTDATTR);
         }
         return self::$_libXmlLoaderOptions;
     } // function getLibXmlLoaderOptions
-}
+}