From d28e38f60c909c76c7c69c1849a17b776bd39d4c Mon Sep 17 00:00:00 2001 From: Tiago Fernandes Date: Tue, 29 Dec 2020 12:42:20 +0000 Subject: [PATCH 1/5] Handle absolute path in worksheets Target --- src/PhpSpreadsheet/Reader/Xlsx.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/PhpSpreadsheet/Reader/Xlsx.php b/src/PhpSpreadsheet/Reader/Xlsx.php index 124cc3b252..4346ddf452 100644 --- a/src/PhpSpreadsheet/Reader/Xlsx.php +++ b/src/PhpSpreadsheet/Reader/Xlsx.php @@ -197,11 +197,12 @@ public function listWorksheetInfo($pFilename) ]; $fileWorksheet = $worksheets[(string) self::getArrayItem($eleSheet->attributes('http://schemas.openxmlformats.org/officeDocument/2006/relationships'), 'id')]; + $fileWorksheetPath = strpos($fileWorksheet, '/') === 0 ? substr($fileWorksheet, 1) : "$dir/$fileWorksheet"; $xml = new XMLReader(); $xml->xml( $this->securityScanner->scanFile( - 'zip://' . File::realpath($pFilename) . '#' . "$dir/$fileWorksheet" + 'zip://' . File::realpath($pFilename) . '#' . $fileWorksheetPath ), null, Settings::getLibXmlLoaderOptions() @@ -470,9 +471,10 @@ public function load($pFilename) } $xpath = self::getArrayItem($relsWorkbook->xpath("rel:Relationship[@Type='http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles']")); + $xpathPath = strpos($xpath['Target'], '/') === 0 ? substr($xpath['Target'], 1) : "$dir/$xpath[Target]"; //~ http://schemas.openxmlformats.org/spreadsheetml/2006/main" $xmlStyles = simplexml_load_string( - $this->securityScanner->scan($this->getFromZipArchive($zip, "$dir/$xpath[Target]")), + $this->securityScanner->scan($this->getFromZipArchive($zip, $xpathPath)), 'SimpleXMLElement', Settings::getLibXmlLoaderOptions() ); From c673653c549a020061b6410ec1cd9bdd7192cd90 Mon Sep 17 00:00:00 2001 From: Tiago Fernandes Date: Tue, 29 Dec 2020 15:04:02 +0000 Subject: [PATCH 2/5] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23e7b13a04..b56a47247f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org). ### Added - CSV Reader - Best Guess for Encoding, and Handle Null-string Escape [#1647](https://github.com/PHPOffice/PhpSpreadsheet/issues/1647) +- Support for absolute path in "Target=" for worksheet [#907](https://github.com/PHPOffice/PhpSpreadsheet/issues/907) ### Changed From 559c0761df56827d69ecec634345b39f8d0a324e Mon Sep 17 00:00:00 2001 From: Tiago Fernandes Date: Mon, 19 Apr 2021 11:25:48 +0100 Subject: [PATCH 3/5] Remove unnecessary changes. Added test --- src/PhpSpreadsheet/Reader/Xlsx.php | 4 +--- .../Reader/Xlsx/AbsolutePathTest.php | 19 ++++++++++++++++++ tests/data/Reader/XLSX/pr1769e.xlsx | Bin 0 -> 7194 bytes 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 tests/PhpSpreadsheetTests/Reader/Xlsx/AbsolutePathTest.php create mode 100644 tests/data/Reader/XLSX/pr1769e.xlsx diff --git a/src/PhpSpreadsheet/Reader/Xlsx.php b/src/PhpSpreadsheet/Reader/Xlsx.php index 4346ddf452..0bc29c6115 100644 --- a/src/PhpSpreadsheet/Reader/Xlsx.php +++ b/src/PhpSpreadsheet/Reader/Xlsx.php @@ -48,7 +48,6 @@ class Xlsx extends BaseReader * @var ReferenceHelper */ private $referenceHelper; - /** * Xlsx\Theme instance. * @@ -471,10 +470,9 @@ public function load($pFilename) } $xpath = self::getArrayItem($relsWorkbook->xpath("rel:Relationship[@Type='http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles']")); - $xpathPath = strpos($xpath['Target'], '/') === 0 ? substr($xpath['Target'], 1) : "$dir/$xpath[Target]"; //~ http://schemas.openxmlformats.org/spreadsheetml/2006/main" $xmlStyles = simplexml_load_string( - $this->securityScanner->scan($this->getFromZipArchive($zip, $xpathPath)), + $this->securityScanner->scan($this->getFromZipArchive($zip, "$dir/$xpath[Target]")), 'SimpleXMLElement', Settings::getLibXmlLoaderOptions() ); diff --git a/tests/PhpSpreadsheetTests/Reader/Xlsx/AbsolutePathTest.php b/tests/PhpSpreadsheetTests/Reader/Xlsx/AbsolutePathTest.php new file mode 100644 index 0000000000..6a886abb4a --- /dev/null +++ b/tests/PhpSpreadsheetTests/Reader/Xlsx/AbsolutePathTest.php @@ -0,0 +1,19 @@ +listWorksheetInfo($xlsxFile); + + self::assertIsArray($result); + self::assertEquals(3, $result[0]['totalRows']); + } +} diff --git a/tests/data/Reader/XLSX/pr1769e.xlsx b/tests/data/Reader/XLSX/pr1769e.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..7492828f03dee8d75e920382ce9fa8e707120ff8 GIT binary patch literal 7194 zcmaJ`1yq#Vx2L5;x}+Onhyf&}O9rGHiBSd^y1PYEQfUy7MuDNEySp0%>5vel-+2AM z=e@l9-nVAXS!dST`QL51>LA(tb-Nm|Ok;JxZBjj4>Q1 zs3y~31{Zyc-4!x1w|rhnn7_7NUEPaDPjTqT(-%sQsN)V@;3dsGnLd?dROo|%8-on@ z5IUV5z4$T?kzTY}y{;<=Ys*Q{)l}mc@J8s49qZO7Xzt3xF48Sz>ZxD-ZcMU7Af!}y zgdcyzmtX~D^O!x}^kKqUlR1VBTdUQn(dlZie*L^4X*_X|$)QUwRIn@B;H;}U z?(d##yV7!<%{`ogS!;8wp)Fnukb~UfIne;9ZOSZ`8sLnWBqHkO%5Rq*i_ioYFk zKt63$>`OLhgt=tP~1l_XC=wCsIx+y?Z zt7=9j`|C@Ju}ANxcY#{jv3U;CO2oQ;RkUflD2KQO|iKpgRp zS$-kYR1pK;6OK#*WCR3!xLGXh%+(z2?47tx?d^ZTGCfXGbq#qy{upY>DAgZ3asvGQR#_;Pu+@>Z@JQH8QjjkDJjz2H%WL9ja=SvcMhA$N-y6p~J13?8Ip?nx+yrx^IdOlz~9~=aDWN+EQt@<=>w>lNoIM8A+nfBRTb!ge!vcf0$+$Sm|kggv;kQ~ z{H5h>UR8SKo(kQm5Yw(Ee;>j8{8?uf^lA9mnfB+RT9Wj%msKf7hcNL^fIDL7j$Iowg4yZHR=a$(5+l6CN z%_a-bwZ62}9+cBPBGiF3`i-*I1njI_h;PN*Rrsw|)TVqR^$=gU9wEHmecZ45Pd`P} zNt+75{RDx-m*DSyGPiRC|8i7RoRMl9fGG4(P3NS%fc(W%>H&52J|A@61Yx4lXJ zmHdsZn4*LOdTWe({fngR`yK<9XLia_sZ}I>SwCWV6FJM5B%f5; zABLbf)LeAl4n`~n8axPN#g?nF-ix2UzBLt>)Jl5E2>N8^C^GEmslwX3Tz|&$<3aWu z@S>R~XLhTnmQ?d*AwM(c@^8Vw5EZL_X3xF005|RvxREK~v%3xV?=<0N=V)zaXJ`G( z(0`?j(%62hb^yNYdB}Cpdmm9(q`ZWl*#xQT&Km@}7#f+R;FohlCd?})IOh9t2~S){LOfpfL!il0K)br zkM2`|unu{dYGjqr2>jkn5b2l&qn$>~=uFNwh9KA@W?K+>2UUYwA7^{SRubrxd-qv- zIw~n6&?mL0Kat@r*!2Rbh^LTc)Su-%o;VrR-N@8Q8MU_(#{V2nZ~{ZDQ{TfuCNE8enHp=(j92Sk2;+RkOdFdcug=&d?s)wJX_ zTmYTQw~vNEU2QxzPp9X_8&BQNvNxC7&eu4WZ_`%iTSLcke!kX7_>7Y7r-%VQC}wTz zKw>`)$3~7YlwB$u5iC?HahU>duoq))h)j};cz(3gCE0OE2!-Y?$ZA?(2EAygD_( zc!DEszVIzA(AUM{u8!I;^QXk!Rba-XnDlDiu!h+9V3Dz@O`&JP9sOnx7p_AKc^0#B z`iYzhGAT}xK(u?thd1Yf)ES+b4F-9BktB(#^63SNNuz`)lKB7q`H7A9PwyJ3{FLc} zqumQ$r{Mhdu9LHe4cO@y(i@XZ>{0>vEz2zXBD%i$Xh?bwC5!Ud)bpSz6VK*~k(tYP zBzlCXXJLm;d~bsbc7NiEgsNXd6Fmqc zt(3JSL$o<{*+#iW$?*r4-DHR`c4u(!7 zn!*awV~H3~Z+K!8I2H(A^4`&eJVnk#zgCNqe)yKnFC#P z9*zUcdlvf#oP6v-s5_g*KBx!8hSRv?JB?Y5JkB)1M=e>@ErqFQGzUPRq!&b!Kpv};`Nx*nN+X&98U`^wF1%x_jM7)7eg9c@d}4;J_# zeYbJGqU@ljYTHZ*b$a~}b+m*e3w&vDwQ{IhL4-$Q^mG3z==1Ax)%Nl`9$as3%8LNf zsO^r_Ncr-2oszXw@)7ew5f93{-*rCv$%qbW?dI!eA~Y;N`K}|)Mud@crw~ZRE(!9( zIg$7$;9E)Yn{v<)5V~l8SK{y#?`#Q%f`5-ZzhJ+wry4OYN7PJuNgaF;4K_H=WLkRB z?^@k!>)I>K_GGBf95Tfal}x_h75r2Y)JTL0+0Gj=z{}$wc`D6)1Hi(7UeaAMUc_`g zVoJ5p7^@JNNl9MzI!QfWYVe3FGp?smUqf+{)SVFE(BT|!iS3qSJf7c3U(K4}$Dw=9 zFO?u$3my6l_yqO4?A3xXAyb(luQQZ~%)O-j=3Hz@^2nLNAwJ4}^jU0|Oa4t|al&NE2E<`q`^0~|Y6M+YPT);10QO2boR-7)aDSt-CdlP#@ zLuv%S2L;qunBpcF2~)b~&+nXR-V9-yEVl@jfQD^Ze-aU?Jya1GNz(XK7ct32XD;Uk z`<`TuM=|-tJA{4n14n#}#q*Mot@lTW2Qs|1>UCOQ6 z>Zy1`aNWhkwQC=ti6+S)H;@No+Q;zBfeq`^QhN zax`tNe)-^%QBHpW$OkX8Kw*X?Y)8|q=>3s!I1^@7fUzpbD|(DjEplL zu$*6T$Vl(rNwU;Avjth>{P`BAW~^b{8{E1GvVI0Ho3CiBX;x3-S$oVS2no@jTTlTC znOY~P<6y0LtnAL`MuEg`%^n8J0ob{CZ!H)%zB~>{{zCK0Ir1~egGU*yzbNFgb5%;_rvVqJ-RbJ#LUK7 z{jbT{tTGJ>C#7#FczuMv!3v!-Jqei-A7mGJT`$Avo7iYzGOhQat-anUD>$(gz!%Ny7Dg&9b48^s4DpSCsLG<$D_aB1AVm{6Us36y-sphYE zM~_(t@m)NLZ8i1(2vA{4ZzXk_Yyy0I_H^5VWCw(1Np(>Ee9EAZ^O02`LR_&gYa_{x zT0w6~&62KIqd}3XK~oQ*y?WjzOKj>hrsv~tEhmQLKbRR2MI?pFRvrtJd`r_=vFBAg z7F{Uklf$>gAIs@bO}=icCq3AvH!tchvr3w-7=E?x9Lypp3V4n>AaTI5*N0a%jZx__H#&c#NIb4Kcp8Rls z%PTM*Eh6C56d(+Ywj8iy03?hTFrrZr(7l_YBFMlxNF<&foAl;j=QhwbAR2}EZ?Gtd zC%^iB>Z!<56P>VqSu}Cx%_D!iLJwLL#9~6O%hj{@=f|v^c`dT;RAS|+9W5|jmC|o~ z!*+E0Kq^{aL$&l{{!3!D`j$XiL8HbN+kU>UA5?>W6g=MC>4Q}rX{Se3 zv1!#>ul5)<#0>CC&eivDo#zoajS0}`g1TLcqYWxjK+P7@HpLUp!d2?s4pxax8s(mg zJJNt~?6&auK{5YSAK}zynCg|F@xto}^{epiHeTi36-V~8rrJ-M5he?iD4Zu*#?&yY zQrpIfA{R8K`e|sAzHOty&g7z;-H22AOY83={2=wui-mQrjmw;q9AyR-yV_FCv+Te< zt15Fr;lZXw51|@hiT6=6z^>2wisqkZT7MLf1OV^f72ri2-tQvr?+r_-mXTeK5Rs1w zggjOSAPXg&mDDAw;wPf#b!G@X6>x!@Hu zcu@n@pd5a7W(aeNPct2V0i{z~D%;#x?x#ZiILa}X1S5Hzn#x@w*lcut(S0G;lP^z~ zfsJ5!Rj0=`DVsD&N^EWE$1FV6)~D1H$`1H8w4%IX2Vo(l2EA;;1WLVb-iq-nJae&+&wl?V7S4I4XP6kycHFs|v+x2NTy zpKCh!svr7_Ut@%JWw-|B;TZrM-hLqEa6udK8l(BjGDE*^gjr4FWKR)?rRcu#B~+gE zE<*Pfv0oyP;JSGfUA%49MCJt7vf9I;=_{~)S#dhc=saEEi+UAg0;Z$aOU$vkf&Hx9 z^pJUdq!am5>u2g^+-JLAX*Ve$2{y8?^&bb!py08zpG(h=XV6Bkp=OmGG!YsfKzIC&C*(0O@ z&R)P7)$-BH^~s4>9PB96npLV_y3$h1?s~_7iy#gZd1UUGtGl+V2R>uZhKr*$-(6)? zs`!;O2}JE9+bNePr-r?#y)j-&O&#@I$t!|++YD!J+?shCA)1?cRmP^2CL`v^f&%SH z(0cmK0u8xOM(OR%5<1H4hOZeFUk>&3cuGS`h9)TY3-(3CnCBdm0u&%18AD{Z;hq1zOni6=4CTg^8gCy`-1r z=a(XO_0I=KQweo6HH-3cI|;pAZD-j(ijB8!`}=PiRFso;%piu_f*jZ5@NS<$Nk_62$&taxqeQ_ud(vxE4e#HIH;1YrID%ZnI_RIHQFHWu>t2EM{O4pEmsC;~hK9 z6-vUTY)pw1CAvP-IJlOWOR=laob2Uxh`wLH?!>Xw)~XV?_=LD0QFxXf(r{>{mM`C? zx;Jy)x+ZYB8_9Ur0APFYa6q1j4Y_WF3y+lq=6ks0R5~2c0*ms{Te?pU%D<`9<%4&J zZm0+dWdCdLe|DXoU<7Xz;oK9;zJzWQ3oeZ!I#Q7UzdjeU)^4>|H`(Vvo{DsCm8(NO zkhE@vB82I!O>^32!`TxdU!m_5dj*=$_%WR2&CxBTWrk9C10mjQKD=f9+%eJBqqRcwZZ4t_hQCP2;Xq9NaqF^~+5lTvh?&7x^1nE|$Z0CeXwJ5^a zDd~>B2waKRA~LVg4z49nOXQdD3MLCNsIxxbiluAzXj;6b8YEyA+jhNkGhJw*YKeA1 zZOCfCt6&!EuWz}=Yx^ixBEm%u)yrrxIq1lIT*>MDa_OWEL&|M?U^61QvZo<`&x1U= zefwJQ*;-mMrd#XNG5UZQTiACxCG*r3mK-l28FJM0C)h_BjrjJEEbHMa{8W%(a-IWe zxUJc{YEomy9!Nk<)h+Xx2`dK&l(v->P+fm1cfper{yvm1YqV1~6bLeBJ9|2pThzIj zxgvM#hcy1)IaAzq*_8m&pu9-79|=7ED24+(w1e_YTpLSwN!qo0y~Y{-DjI=RW`kYT zn;4ZXa8rYGM=jtTaq`&K6>MG*q9YJGcio3ZK~&JmbQ2Elr9idPpV{L>UoRYTEs?dB zCq$o;vThx&?1S+qvNUJmOJ%Zbb@=3Y&Lhz!&n7koKb*lVWO_Mg5%wkeUGYNI;_59kzeU|Q*p5ISB zyxE28xyRAnU;o9~-B)^_9Qvj3w@;Gcl?GhtAFAlS=>0bPk7zjj^5tKe?)wVv*ED|= z7(e_=!QU&K`@;8g_HSWY_*4&PG2w6jCH((o@cRnyC&EAfriSFc!ar$IO&Jw#{9o5i OSP1KIEYXtxTKyOP^PVdJ literal 0 HcmV?d00001 From ee4f10e85c8f4fde948d8f4f37cb7460c90061a6 Mon Sep 17 00:00:00 2001 From: Tiago Fernandes Date: Mon, 19 Apr 2021 14:31:10 +0100 Subject: [PATCH 4/5] Updated Changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b56a47247f..64efac09c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,6 @@ and this project adheres to [Semantic Versioning](https://semver.org). ### Added - CSV Reader - Best Guess for Encoding, and Handle Null-string Escape [#1647](https://github.com/PHPOffice/PhpSpreadsheet/issues/1647) -- Support for absolute path in "Target=" for worksheet [#907](https://github.com/PHPOffice/PhpSpreadsheet/issues/907) ### Changed @@ -26,6 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org). ### Fixed +- Fixed issue with absolute path in worksheets' Target. [PR #1769](https://github.com/PHPOffice/PhpSpreadsheet/pull/1769) - Fix for Xls Reader when SST has a bad length [#1592](https://github.com/PHPOffice/PhpSpreadsheet/issues/1592) - Resolve Xlsx loader issue whe hyperlinks don't have a destination - Resolve issues when printer settings resources IDs clash with drawing IDs From 142e7eea7a6ed634e66cbe94014db22c9872c35e Mon Sep 17 00:00:00 2001 From: Tiago Fernandes Date: Mon, 19 Apr 2021 14:40:25 +0100 Subject: [PATCH 5/5] Fix style --- src/PhpSpreadsheet/Reader/Xlsx.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/PhpSpreadsheet/Reader/Xlsx.php b/src/PhpSpreadsheet/Reader/Xlsx.php index 0bc29c6115..c6068bcdac 100644 --- a/src/PhpSpreadsheet/Reader/Xlsx.php +++ b/src/PhpSpreadsheet/Reader/Xlsx.php @@ -48,6 +48,7 @@ class Xlsx extends BaseReader * @var ReferenceHelper */ private $referenceHelper; + /** * Xlsx\Theme instance. *