Security: prevent XXE (XML External Entity) when loading files #4119
Conversation
Prevent XEE by hiding custom entities by using single quote to declare a non-UTF-8 encoding. XML standard, https://www.w3.org/TR/xml/#NT-EncodingDecl, allows single quote to declare encoding, but we did not support it. Instead, we incorrectly fell back on the default of UTF-8. That incorrectly kept the XML as non-UTF-8, and thus prevented our regexp-based custom entity detection mechanism to work.
|
Can we add this fix for ^1 version too? For now any deploy will crash for components which are using ^1 version... |
|
Will there ever be a backport to 2.1.0? |
|
@AoiKagase Php8.0 reached end-of-life (no updates, not even for security) almost a year ago. There seems to be a way to install a supported version on RHEL9 here. If that is not possible, might PhpSpreadsheet 1.29.1 meet your needs? |
|
Although PHP itself is no longer supported, RHEL9 has a 10-year guarantee that security updates to 8.0 will be backported by Redhat.
Since composer installs 2.1.0 by default, many companies may end up using the vulnerable version. |
|
Can add fix to apply version php 7.3..#4119 not support for php 7.3 |
|
@ChinhTQ-Vnext We are unlikely to act on your request. See discussion in issue #4154, and continue the discussion there if you wish. |
|
@AoiKagase I have released 2.1.1 which will handle your situation. Thank you for your explanation. |
|
@oleibman Thank you. I will update with it. |
Prevent XEE by hiding custom entities by using single quote to declare a non-UTF-8 encoding.
XML standard, https://www.w3.org/TR/xml/#NT-EncodingDecl, allows single quote to declare encoding, but we did not support it. Instead, we incorrectly fell back on the default of UTF-8. That incorrectly kept the XML as non-UTF-8, and thus prevented our regexp-based custom entity detection mechanism to work.