Merge pull request #323 from maartenba/develop

When libxmlloader options are the default values, disable the entity loader as well. CVE-2014-2054 by MITRE
This commit is contained in:
Maarten Balliauw 2014-02-21 11:07:35 +01:00
commit 81c1c55149
1 changed files with 3 additions and 2 deletions

View File

@ -366,6 +366,7 @@ class PHPExcel_Settings
if (is_null($options)) {
$options = LIBXML_DTDLOAD | LIBXML_DTDATTR;
}
@libxml_disable_entity_loader($options == (LIBXML_DTDLOAD | LIBXML_DTDATTR));
self::$_libXmlLoaderOptions = $options;
} // function setLibXmlLoaderOptions
@ -379,7 +380,7 @@ class PHPExcel_Settings
{
libxml_disable_entity_loader(true);
if (is_null(self::$_libXmlLoaderOptions)) {
self::$_libXmlLoaderOptions = LIBXML_DTDLOAD | LIBXML_DTDATTR;
self::setLibXmlLoaderOptions(LIBXML_DTDLOAD | LIBXML_DTDATTR);
}
return self::$_libXmlLoaderOptions;
} // function getLibXmlLoaderOptions