XXE in PHPSpreadsheet's XLSX reader

yanalshoubaki → changed the visibility of the branch 3479278-xxe-in-phpspreadsheets to hidden.

I suppose you are talking about this vulnerability: https://github.com/advisories/GHSA-6hwr-6v2f-3m88
Websites using webform_xlsx_export should already be able to update to phpspreadsheet 2.3.
Furthermore, the module only writes spreadsheets and the vulnerability seems to only apply to reading them.

However, I agree it would be good practice to require a secure version of phpspreadsheet. I just think we should commit 📌 Stop versioning composer.lock Active first.
Upgrading to phpspreadsheet 3 might cause breaking changes and would require some testing, so I think this issue should focus on upgrading to 2.3 and I opened another issue about phpspreadsheet 3: ✨ Support phpspreadsheet 3 Active

My export breaks when upgrading to PHPSpreadsheet 2.3.2 but continues to work on version 2.3.0 (the insecure one).

This only appears to happen with larger exports -- this one in particular has 1200+ submissions. The export starts as expected, but mid-batch it crashes with the following error.

PhpOffice\PhpSpreadsheet\Reader\Exception: File "/tmp/classical_countdown_2024.xlsx" does not exist. in PhpOffice\PhpSpreadsheet\Shared\File::assertFile() (line 147 of /code/vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/File.php).

When I downgraded to 2.3.0, the export completed without errors. (Currently on Webform XSLX Export 1.4 with the patch from 🐛 Typed property must not be accessed before initialisation Active applied.)

@jess thank you for reporting this but I think it would be better handled in a separate issue.
If you are able to provide a full stack trace for the error, it would be easier to see what happens exactly.

webform_xlsx_export will now prevent users from using 2.2 (because no 2.2 release is secure).

Note however that it is the responsibility of devs using this module to use secure versions of dependencies.

Automatically closed - issue fixed for 2 weeks with no activity.