liuqing
/
htb_backend
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
杨总惠通宝
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
1 Branch
1 Tag
108 MiB
 
 
 
 
 
 
Tag: Branch: Tree: cd0365c472
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cd0365c472'
${ noResults }
htb_backend/vendor/phpoffice/phpexcel/Documentation/markdown/ReadingSpreadsheetFiles/02-Security.md

621 B
Raw Blame History

PHPExcel User Documentation – Reading Spreadsheet Files

Security

XML-based formats such as OfficeOpen XML, Excel2003 XML, OASIS and Gnumeric are susceptible to XML External Entity Processing (XXE) injection attacks (for an explanation of XXE injection see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html) when reading spreadsheet files. This can lead to:

  • Disclosure whether a file is existent
  • Server Side Request Forgery
  • Command Execution (depending on the installed PHP wrappers)

To prevent this, PHPExcel sets libxml_disable_entity_loader to true for the XML-based Readers by default.