Merge pull request #1427 from troosan/libxml_disable_entity_loader

disable entity loader before parsing XML to avoid XXE injection

Author: troosan

CHANGELOG.md

@@ -37,6 +37,7 @@ v0.15.0 (?? ??? 2018)
 - Fix parsing of Heading and Title formating @troosan @gthomas2 #465
 - Fix Dateformat typo, fix hours casing, add Month-Day-Year formats @ComputerTinker #591
 - Fix missing column width in ODText writer @potofcoffee #413
+- Disable entity loader before parsing XML to avoid XXE injection @Tom4t0 #1427
 
 ### Changed
 - Remove zend-stdlib dependency @Trainmaster #1284

composer.json

@@ -66,7 +66,7 @@
     "require-dev": {
         "ext-zip": "*",
         "ext-gd": "*",
-        "phpunit/phpunit": "^4.8.36 || ^5.0",
+        "phpunit/phpunit": "^4.8.36 || ^7.0",
         "squizlabs/php_codesniffer": "^2.9",
         "friendsofphp/php-cs-fixer": "^2.2",
         "phpmd/phpmd": "2.*",

phpunit.xml.dist

@@ -6,8 +6,7 @@
          convertNoticesToExceptions="true"
          convertWarningsToExceptions="true"
          processIsolation="false"
-         stopOnFailure="false"
-         syntaxCheck="false">
+         stopOnFailure="false">
     <testsuites>
         <testsuite name="PhpWord Test Suite">
             <directory>./tests/PhpWord</directory>
@@ -22,7 +21,7 @@
         </whitelist>
     </filter>
     <logging>
-        <log type="coverage-html" target="./build/coverage" charset="UTF-8" highlight="true" />
+        <log type="coverage-html" target="./build/coverage" />
         <log type="coverage-clover" target="./build/logs/clover.xml" />
     </logging>
 </phpunit>

src/PhpWord/Shared/Html.php

@@ -71,6 +71,7 @@ public static function addHtml($element, $html, $fullHTML = false, $preserveWhit
         }
 
         // Load DOM
+        libxml_disable_entity_loader(true);
         $dom = new \DOMDocument();
         $dom->preserveWhiteSpace = $preserveWhiteSpace;
         $dom->loadXML($html);

src/PhpWord/TemplateProcessor.php

@@ -113,6 +113,7 @@ public function __construct($documentTemplate)
      */
     protected function transformSingleXml($xml, $xsltProcessor)
     {
+        libxml_disable_entity_loader(true);
         $domDocument = new \DOMDocument();
         if (false === $domDocument->loadXML($xml)) {
             throw new Exception('Could not load the given XML document.');

tests/PhpWord/_includes/XmlDocument.php

@@ -76,8 +76,10 @@ public function getFileDom($file = 'word/document.xml')
         $this->file = $file;
 
         $file = $this->path . '/' . $file;
+        libxml_disable_entity_loader(false);
         $this->dom = new \DOMDocument();
         $this->dom->load($file);
+        libxml_disable_entity_loader(true);
 
         return $this->dom;
     }