Don't rely purely on libxml_disable_entity_loader()
This commit is contained in:
parent
1f4cb1f19a
commit
f02898e14d
|
@ -62,12 +62,11 @@ class XmlScanner
|
|||
$xml = mb_convert_encoding($xml, 'UTF-8', $charset);
|
||||
}
|
||||
|
||||
if (!$this->libxmlDisableEntityLoader) {
|
||||
// Don't rely purely on libxml_disable_entity_loader()
|
||||
$pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
|
||||
if (preg_match($pattern, $xml)) {
|
||||
throw new Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||
}
|
||||
}
|
||||
|
||||
return $xml;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue