ホーム エクスプローラ ヘルプ
サインイン
shenzhipeng
/
edm
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: a82d13b366
ブランチ タグ
edm
/
PhpOffice
/
PhpSpreadsheet
/
Reader
/
Security
/
XmlScanner.php

XmlScanner.php 3.3 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. <?php
    2. 

  2. 

  3. namespace PhpOffice\PhpSpreadsheet\Reader\Security;
    4. 

  4. 

  5. use PhpOffice\PhpSpreadsheet\Reader;
    6. 

  6. 

  7. class XmlScanner
    8. 

  8. {
    9. 

  9.     /**
    10. 

  10.      * Identifies whether the thread-safe libxmlDisableEntityLoader() function is available.
    11. 

  11.      *
    12. 

  12.      * @var bool
    13. 

  13.      */
    14. 

  14.     private $libxmlDisableEntityLoader = false;
    15. 

  15. 

  16.     /**
    17. 

  17.      * String used to identify risky xml elements.
    18. 

  18.      *
    19. 

  19.      * @var string
    20. 

  20.      */
    21. 

  21.     private $pattern;
    22. 

  22. 

  23.     private $callback;
    24. 

  24. 

  25.     private function __construct($pattern = '<!DOCTYPE')
    26. 

  26.     {
    27. 

  27.         $this->pattern = $pattern;
    28. 

  28.         $this->libxmlDisableEntityLoader = $this->identifyLibxmlDisableEntityLoaderAvailability();
    29. 

  29.     }
    30. 

  30. 

  31.     public static function getInstance(Reader\IReader $reader)
    32. 

  32.     {
    33. 

  33.         switch (true) {
    34. 

  34.             case $reader instanceof Reader\Html:
    35. 

  35.                 return new self('<!ENTITY');
    36. 

  36.             case $reader instanceof Reader\Xlsx:
    37. 

  37.             case $reader instanceof Reader\Xml:
    38. 

  38.             case $reader instanceof Reader\Ods:
    39. 

  39.             case $reader instanceof Reader\Gnumeric:
    40. 

  40.                 return new self('<!DOCTYPE');
    41. 

  41.             default:
    42. 

  42.                 return new self('<!DOCTYPE');
    43. 

  43.         }
    44. 

  44.     }
    45. 

  45. 

  46.     private function identifyLibxmlDisableEntityLoaderAvailability()
    47. 

  47.     {
    48. 

  48.         if (PHP_MAJOR_VERSION == 7) {
    49. 

  49.             switch (PHP_MINOR_VERSION) {
    50. 

  50.                 case 2:
    51. 

  51.                     return PHP_RELEASE_VERSION >= 1;
    52. 

  52.                 case 1:
    53. 

  53.                     return PHP_RELEASE_VERSION >= 13;
    54. 

  54.                 case 0:
    55. 

  55.                     return PHP_RELEASE_VERSION >= 27;
    56. 

  56.             }
    57. 

  57. 

  58.             return true;
    59. 

  59.         }
    60. 

  60. 

  61.         return false;
    62. 

  62.     }
    63. 

  63. 

  64.     public function setAdditionalCallback(callable $callback)
    65. 

  65.     {
    66. 

  66.         $this->callback = $callback;
    67. 

  67.     }
    68. 

  68. 

  69.     /**
    70. 

  70.      * Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
    71. 

  71.      *
    72. 

  72.      * @param mixed $xml
    73. 

  73.      *
    74. 

  74.      * @throws Reader\Exception
    75. 

  75.      *
    76. 

  76.      * @return string
    77. 

  77.      */
    78. 

  78.     public function scan($xml)
    79. 

  79.     {
    80. 

  80.         if ($this->libxmlDisableEntityLoader) {
    81. 

  81.             $previousLibxmlDisableEntityLoaderValue = libxml_disable_entity_loader(true);
    82. 

  82.         }
    83. 

  83. 

  84.         $pattern = '/encoding="(.*?)"/';
    85. 

  85.         $result = preg_match($pattern, $xml, $matches);
    86. 

  86.         $charset = $result ? $matches[1] : 'UTF-8';
    87. 

  87. 

  88.         if ($charset !== 'UTF-8') {
    89. 

  89.             $xml = mb_convert_encoding($xml, 'UTF-8', $charset);
    90. 

  90.         }
    91. 

  91. 

  92.         // Don't rely purely on libxml_disable_entity_loader()
    93. 

  93.         $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
    94. 

  94. 

  95.         try {
    96. 

  96.             if (preg_match($pattern, $xml)) {
    97. 

  97.                 throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
    98. 

  98.             }
    99. 

  99. 

  100.             if ($this->callback !== null && is_callable($this->callback)) {
    101. 

  101.                 $xml = call_user_func($this->callback, $xml);
    102. 

  102.             }
    103. 

  103.         } finally {
    104. 

  104.             if (isset($previousLibxmlDisableEntityLoaderValue)) {
    105. 

  105.                 libxml_disable_entity_loader($previousLibxmlDisableEntityLoaderValue);
    106. 

  106.             }
    107. 

  107.         }
    108. 

  108. 

  109.         return $xml;
    110. 

  110.     }
    111. 

  111. 

  112.     /**
    113. 

  113.      * Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks.
    114. 

  114.      *
    115. 

  115.      * @param string $filestream
    116. 

  116.      *
    117. 

  117.      * @throws Reader\Exception
    118. 

  118.      *
    119. 

  119.      * @return string
    120. 

  120.      */
    121. 

  121.     public function scanFile($filestream)
    122. 

  122.     {
    123. 

  123.         return $this->scan(file_get_contents($filestream));
    124. 

  124.     }
    125. 

  125. }
    126.