Don't rely purely on libxml_disable_entity_loader()

This commit is contained in:
MarkBaker 2018-11-20 18:40:09 +01:00
parent 1f4cb1f19a
commit f02898e14d
1 changed files with 4 additions and 5 deletions

View File

@ -62,12 +62,11 @@ class XmlScanner
$xml = mb_convert_encoding($xml, 'UTF-8', $charset);
}
if (!$this->libxmlDisableEntityLoader) {
// Don't rely purely on libxml_disable_entity_loader()
$pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
if (preg_match($pattern, $xml)) {
throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
}
}
return $xml;
}