Comments (6)
jmcnamara
commented on May 27, 2024
Hi Evgeny,
Thanks for highlighting that vulnerability.
Just to note that this project was never released to CPAN, hasn't been worked on since April 2012, and is effectively abandoned. There are maintained solutions such as Spreadsheet::ParseXLSX that people should be using instead.
John
from excel-reader-xlsx.
luc-lynx
commented on May 27, 2024
Hi John,
Thanks for clarification. I just came across the bug in several projects that were using this module for xlsx processing. Just wanted to leave the report here for those who will possibly use code as a reminder that they will need to fix the issue themselves.
Evgeny
from excel-reader-xlsx.
jmcnamara
commented on May 27, 2024
Thanks.
Is there a workaround for this issue?
from excel-reader-xlsx.
luc-lynx
commented on May 27, 2024
It should be something like
my $xml_reader = XML::LibXML::Reader->new(
location => $filename,
load_ext_dtd => 0,
expand_entities => 0,
no_blanks => 1,
no_network => 1
);
during XML parser init. Sure, I can send a PR, but it'll take some time because I'm not a Perl developer at all =)
from excel-reader-xlsx.
jmcnamara
commented on May 27, 2024
I've pushed a fix for this to master. If you encounter users with this vulnerability you can ask them to upgrade or better still to use a supported module.
Either way, thank you for the report.
from excel-reader-xlsx.
SaFiSec
commented on May 27, 2024
@luc-lynx Where to add this payload in excel files kindly make a video for it. Using Linux LibreOffice. Also Office other files Word,PP, ETC.
from excel-reader-xlsx.
Related Issues (10)
- Looping Through a rows cells does not return empty cells. HOT 1
- Can't locate XML/LibXML/Reader.pm HOT 1
- Date types are not handled very elegantly
- Required XML::LibXML version HOT 2
- Warnings during test HOT 1
- Too many files open HOT 2
- Temp directory not cleaned up HOT 1
- Sheet index issues HOT 3
- Getting total row count HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from excel-reader-xlsx.