chore(deps): update dependency phpoffice/phpspreadsheet to v2 [security] - autoclosed #355
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.29.0|^2.0
->2.2.1
GitHub Vulnerability Alerts
CVE-2024-45046
Summary
\PhpOffice\PhpSpreadsheet\Writer\Html
doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.PoC
Example target script:
Save this file in the same directory:
book.xlsx
Open index.php in a web browser. An alert should be displayed.
Impact
Full takeover of the session of users viewing spreadsheet files as HTML.
CVE-2024-45048
Summary
Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)
Details
Check
$pattern = '/encoding="(.*?)"/';
easy to bypass. Just use a single quote symbol'
. So payload looks like this:If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.
PoC
xl/sharedStrings.xml
file in edit mode.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
tosharedStrings.xml
file and rename zip back to xlsx.http://%webhook%/file.dtd
Impact
Read local files
Release Notes
PHPOffice/PhpSpreadsheet (phpoffice/phpspreadsheet)
v2.2.1
Compare Source
Security Fix
Fixed
v2.2.0
Compare Source
Added
Changed
Deprecated
Moved
Fixed
v2.1.0
Compare Source
MINOR BREAKING CHANGE
Added
Changed
Deprecated
Removed
Fixed
v2.0.0
Compare Source
BREAKING CHANGE
any interfaces or inherit from any classes, you will need to adapt your typing accordingly. If you use static analysis
tools such as PHPStan or Psalm, new errors might be found. If you find actual bugs because of the new typing, please
open a PR that fixes it with a detailed explanation of the reason. We'll try to merge and release typing-related
fixes quickly in the coming days. PR #3718
Added
Changed
toFormattedString
will now always return a string. This was introduced with 1.28.0, but was not properly documented at the time. This can affect the results oftoArray
,namedRangeToArray
, andrangeToArray
. PR #3304Deprecated
_translateFormulaToLocale
and_translateFormulaEnglish
are replaced by versions without leading underscore. PR #3828Removed
Fixed
xlfn.
andxlws.
from Formula Translations. Issue #3819 PR #3828between
operator for data validation. Issue #3863 PR #3865Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.