Merge pull request #23 from troosan/fix_xxe_injection

Fix xxe injection

Author: Progi1984

CHANGELOG.md

@@ -48,4 +48,14 @@
 
 ### Features
 - Added `\PhpOffice\Common\File::fileGetContents()` (with support of zip://)
-- Added Support for PHP 7.1
+- Added Support for PHP 7.1
+
+## 0.2.8
+
+### Features
+- Added possibility to register namespaces to DOMXpath
+- Added Utility to get an Office compatible hash of a password
+- Write attribute's value of type float independently of locale
+
+## 0.2.9
+- Fix XML Entity injection vulnerability

VERSION

@@ -1 +1 @@
-0.2.7
+0.2.9

src/Common/Microsoft/PasswordEncoder.php

@@ -164,7 +164,7 @@ private static function getAlgorithm($algorithmName)
     /**
      * Returns the algorithm ID
      *
-     * @param sting $algorithmName
+     * @param string $algorithmName
      * @return int
      */
     public static function getAlgorithmId($algorithmName)

src/Common/XMLReader.php

@@ -71,6 +71,7 @@ public function getDomFromZip($zipFile, $xmlFile)
      */
     public function getDomFromString($content)
     {
+        libxml_disable_entity_loader(true);
         $this->dom = new \DOMDocument();
         $this->dom->loadXML($content);