Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BC since Settings::libXmlLoaderOptions is ignored #4260

Open
1 of 8 tasks
JulienChavee opened this issue Dec 3, 2024 · 5 comments
Open
1 of 8 tasks

BC since Settings::libXmlLoaderOptions is ignored #4260

JulienChavee opened this issue Dec 3, 2024 · 5 comments

Comments

@JulienChavee
Copy link

This is:

- [x] a bug report
- [ ] a feature request
- [ ] **not** a usage question (ask them on https://stackoverflow.com/questions/tagged/phpspreadsheet or https://gitter.im/PHPOffice/PhpSpreadsheet)

What is the expected behavior?

Currently, we use the Settings::setLibXmlLoaderOptions() function to use the constant LIBXML_PARSEHUGE
While we added this 4 years ago and I can hardly find which files we are receiving is using this functionality, I would like to be sure that updating the library will not cause a BC on our side, since it was removed in the #4233
Is it something that was considered, do we have another way to allow to parse huge XML files?

What is the current behavior?

Huge XLXS files can be parsed with the library

What are the steps to reproduce?

What features do you think are causing the issue

  • Reader
  • Writer
  • Styles
  • Data Validations
  • Formula Calculations
  • Charts
  • AutoFilter
  • Form Elements

Does an issue affect all spreadsheet file formats? If not, which formats are affected?

Format using XML files

Which versions of PhpSpreadsheet and PHP are affected?

= 3.5
@oleibman
Copy link
Collaborator

oleibman commented Dec 3, 2024

It was not something that we considered. As far as I could tell, libXmlLoaderOptions was nothing but a vector for malicious exploits. If you can upload a file with this problem, I can work on finding a solution for it.

@quentindarrigade
Copy link

We were also using libXmlLoaderOptions to set LIBXML_PARSEHUGE up until version 1.29.4.
We tried to update the lib to 1.29.6 and are not able to read some of our uploaded excel files anymore.
If a replacement could be developped that would be great ! :)

@oleibman
Copy link
Collaborator

I would need to understand why you need it. The reason for restricting files to those which don't require PARSEHUGE is to prevent DOS attacks using too much memory. The recent set of security fixes has made me paranoid. Is it possible to upload an affected file?

@quentindarrigade
Copy link

I am not sure why, we noticed that if we remove the LIBXML_PARSEHUGE some of our excel files (the biggest ones) can not be read by php spreadsheet anymore. Once the option is set back up, everything works fine.

@oleibman
Copy link
Collaborator

If you are able to upload a failing file, I can investigate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JulienChavee @oleibman @quentindarrigade