Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 3.10.x will end 8 November 2021 (12 months).
- Bug fixes for security issues in 3.10.x will end 9 May 2022 (18 months).
- PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.
<?php namespace PhpOffice\PhpSpreadsheet\Reader\Security; use PhpOffice\PhpSpreadsheet\Reader;< use PhpOffice\PhpSpreadsheet\Settings;class XmlScanner { /** * String used to identify risky xml elements. * * @var string */ private $pattern; private $callback; private static $libxmlDisableEntityLoaderValue;> /** public function __construct($pattern = '<!DOCTYPE') > * @var bool { > */ $this->pattern = $pattern; > private static $shutdownRegistered = false; >$this->disableEntityLoaderCheck(); // A fatal error will bypass the destructor, so we register a shutdown here> if (!self::$shutdownRegistered) { register_shutdown_function([__CLASS__, 'shutdown']); > self::$shutdownRegistered = true;}> }public static function getInstance(Reader\IReader $reader) { switch (true) { case $reader instanceof Reader\Html: return new self('<!ENTITY'); case $reader instanceof Reader\Xlsx: case $reader instanceof Reader\Xml: case $reader instanceof Reader\Ods: case $reader instanceof Reader\Gnumeric: return new self('<!DOCTYPE'); default: return new self('<!DOCTYPE'); } } public static function threadSafeLibxmlDisableEntityLoaderAvailability() {< if (PHP_MAJOR_VERSION == 7) {> if (PHP_MAJOR_VERSION === 7) {switch (PHP_MINOR_VERSION) { case 2: return PHP_RELEASE_VERSION >= 1; case 1: return PHP_RELEASE_VERSION >= 13; case 0: return PHP_RELEASE_VERSION >= 27; } return true; } return false; }< private function disableEntityLoaderCheck()> private function disableEntityLoaderCheck(): void{< if (Settings::getLibXmlDisableEntityLoader()) {> if (\PHP_VERSION_ID < 80000) {$libxmlDisableEntityLoaderValue = libxml_disable_entity_loader(true); if (self::$libxmlDisableEntityLoaderValue === null) { self::$libxmlDisableEntityLoaderValue = $libxmlDisableEntityLoaderValue; } } }< public static function shutdown()> public static function shutdown(): void{< if (self::$libxmlDisableEntityLoaderValue !== null) {> if (self::$libxmlDisableEntityLoaderValue !== null && \PHP_VERSION_ID < 80000) {libxml_disable_entity_loader(self::$libxmlDisableEntityLoaderValue); self::$libxmlDisableEntityLoaderValue = null; } } public function __destruct() { self::shutdown(); }< public function setAdditionalCallback(callable $callback)> public function setAdditionalCallback(callable $callback): void{ $this->callback = $callback; } private function toUtf8($xml) { $pattern = '/encoding="(.*?)"/'; $result = preg_match($pattern, $xml, $matches); $charset = strtoupper($result ? $matches[1] : 'UTF-8'); if ($charset !== 'UTF-8') { $xml = mb_convert_encoding($xml, 'UTF-8', $charset); $result = preg_match($pattern, $xml, $matches); $charset = strtoupper($result ? $matches[1] : 'UTF-8'); if ($charset !== 'UTF-8') { throw new Reader\Exception('Suspicious Double-encoded XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); } } return $xml; } /** * Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks. * * @param mixed $xml *< * @throws Reader\Exception < ** @return string */ public function scan($xml) { $this->disableEntityLoaderCheck(); $xml = $this->toUtf8($xml); // Don't rely purely on libxml_disable_entity_loader() $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/'; if (preg_match($pattern, $xml)) { throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); } if ($this->callback !== null && is_callable($this->callback)) { $xml = call_user_func($this->callback, $xml); } return $xml; } /** * Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks. * * @param string $filestream< * < * @throws Reader\Exception* * @return string */ public function scanFile($filestream) { return $this->scan(file_get_contents($filestream)); } }
