From b1717336f5c560ac900293c10c43495c5fff5953 Mon Sep 17 00:00:00 2001 From: Clay Birkett Date: Tue, 25 Jun 2024 16:06:52 -0400 Subject: [PATCH] security fix for CVE-2023-7101 --- gdata/perl/Spreadsheet/ParseExcel.pm | 28 ++++------------ gdata/perl/Spreadsheet/ParseExcel/Cell.pm | 4 +-- gdata/perl/Spreadsheet/ParseExcel/Dump.pm | 2 +- .../perl/Spreadsheet/ParseExcel/FmtDefault.pm | 6 +--- gdata/perl/Spreadsheet/ParseExcel/FmtJapan.pm | 2 +- .../perl/Spreadsheet/ParseExcel/FmtJapan2.pm | 2 +- .../perl/Spreadsheet/ParseExcel/FmtUnicode.pm | 2 +- gdata/perl/Spreadsheet/ParseExcel/Font.pm | 2 +- gdata/perl/Spreadsheet/ParseExcel/Format.pm | 2 +- .../perl/Spreadsheet/ParseExcel/SaveParser.pm | 2 +- .../ParseExcel/SaveParser/Workbook.pm | 6 ++-- .../ParseExcel/SaveParser/Worksheet.pm | 4 +-- gdata/perl/Spreadsheet/ParseExcel/Utility.pm | 33 +++++++++++++------ gdata/perl/Spreadsheet/ParseExcel/Workbook.pm | 2 +- .../perl/Spreadsheet/ParseExcel/Worksheet.pm | 2 +- 15 files changed, 47 insertions(+), 52 deletions(-) diff --git a/gdata/perl/Spreadsheet/ParseExcel.pm b/gdata/perl/Spreadsheet/ParseExcel.pm index 7d0f43fb2..b19b9dfc2 100644 --- a/gdata/perl/Spreadsheet/ParseExcel.pm +++ b/gdata/perl/Spreadsheet/ParseExcel.pm @@ -26,7 +26,7 @@ use Config; use Crypt::RC4; use Digest::Perl::MD5; -our $VERSION = '0.65'; +our $VERSION = '0.66'; use Spreadsheet::ParseExcel::Workbook; use Spreadsheet::ParseExcel::Worksheet; @@ -627,7 +627,7 @@ sub _get_content { # Reset the error status in case method is called more than once. $self->{_error_status} = ErrorNone; - + my $ref = ref($source); if ( $ref ) { @@ -1428,7 +1428,7 @@ sub _getguid { # Helper: Extract a counted (16-bit) unicode string, returns string, # updates $offset -# $zterm == 1 if string is null-terminated. +# $zterm == 1 if string is null-terminated. # $bc if length is in bytes (not chars) sub _getustr { @@ -1659,13 +1659,8 @@ sub _subXF { $iFillP, $iFillCF, $iFillCB ); - if ( $oBook->{BIFFVersion} == verBIFF2 ) { - die "Unsupported file format: Excel Version 2.0 (4.0 or later required)"; - } - elsif ( $oBook->{BIFFVersion} == verBIFF3 ) { - die "Unsupported file format: Excel Version 3.0 (4.0 or later required)"; - } - elsif ( $oBook->{BIFFVersion} == verBIFF4 ) { + + if ( $oBook->{BIFFVersion} == verBIFF4 ) { # Minimal support for Excel 4. We just get the font and format indices # so that the cell data value can be formatted. @@ -3418,8 +3413,6 @@ See the following for more information on Excel encryption: L - =item * This module cannot read the values of formulas from files created with Spreadsheet::WriteExcel unless the user specified the values when creating the file (which is generally not the case). The reason for this is that Spreadsheet::WriteExcel writes the formula but not the formula result since it isn't in a position to calculate arbitrary Excel formulas without access to Excel's formula engine. =item * If Excel has date fields where the specified format is equal to the system-default for the short-date locale, Excel does not store the format, but defaults to an internal format which is system dependent. In these cases ParseExcel uses the date format 'yyyy-mm-dd'. @@ -3431,9 +3424,9 @@ See the following for more information on Excel encryption: L +L @@ -3465,13 +3458,6 @@ L -=head1 MAILING LIST - -There is a Google group for discussing and asking questions about Spreadsheet::ParseExcel. This is a good place to search to see if your question has been asked before: L - - - - =head1 DONATIONS If you'd care to donate to the Spreadsheet::ParseExcel project, you can do so via PayPal: L diff --git a/gdata/perl/Spreadsheet/ParseExcel/Cell.pm b/gdata/perl/Spreadsheet/ParseExcel/Cell.pm index df9c76bfc..8d5cedd60 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Cell.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Cell.pm @@ -19,7 +19,7 @@ package Spreadsheet::ParseExcel::Cell; use strict; use warnings; -our $VERSION = '0.65'; +our $VERSION = '0.66'; ############################################################################### # @@ -160,7 +160,7 @@ sub get_hyperlink { return undef; } -# +# ############################################################################### # # Mapping between legacy method names and new names. diff --git a/gdata/perl/Spreadsheet/ParseExcel/Dump.pm b/gdata/perl/Spreadsheet/ParseExcel/Dump.pm index fd5b4e194..edf5cad67 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Dump.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Dump.pm @@ -19,7 +19,7 @@ package Spreadsheet::ParseExcel::Dump; use strict; use warnings; -our $VERSION = '0.65'; +our $VERSION = '0.66'; my %NameTbl = ( diff --git a/gdata/perl/Spreadsheet/ParseExcel/FmtDefault.pm b/gdata/perl/Spreadsheet/ParseExcel/FmtDefault.pm index 14d93efd1..cebeaf20d 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/FmtDefault.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/FmtDefault.pm @@ -20,7 +20,7 @@ use strict; use warnings; use Spreadsheet::ParseExcel::Utility qw(ExcelFmt); -our $VERSION = '0.65'; +our $VERSION = '0.66'; my %hFmtDefault = ( 0x00 => 'General', @@ -102,19 +102,15 @@ sub FmtStringDef { sub FmtString { my ( $oThis, $oCell, $oBook ) = @_; - no warnings; my $sFmtStr = $oThis->FmtStringDef( $oBook->{Format}[ $oCell->{FormatNo} ]->{FmtIdx}, $oBook ); - use warnings; # Special case for cells that use Lotus123 style leading # apostrophe to designate text formatting. - no warnings; if ( $oBook->{Format}[ $oCell->{FormatNo} ]->{Key123} ) { $sFmtStr = '@'; } - use warnings; unless ( defined($sFmtStr) ) { if ( $oCell->{Type} eq 'Numeric' ) { diff --git a/gdata/perl/Spreadsheet/ParseExcel/FmtJapan.pm b/gdata/perl/Spreadsheet/ParseExcel/FmtJapan.pm index fb8ae1664..9485aa6c7 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/FmtJapan.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/FmtJapan.pm @@ -22,7 +22,7 @@ use warnings; use Encode qw(find_encoding decode); use base 'Spreadsheet::ParseExcel::FmtDefault'; -our $VERSION = '0.65'; +our $VERSION = '0.66'; my %FormatTable = ( 0x00 => 'General', diff --git a/gdata/perl/Spreadsheet/ParseExcel/FmtJapan2.pm b/gdata/perl/Spreadsheet/ParseExcel/FmtJapan2.pm index a154a2a71..63e599333 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/FmtJapan2.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/FmtJapan2.pm @@ -22,7 +22,7 @@ use warnings; use Jcode; use Unicode::Map; use base 'Spreadsheet::ParseExcel::FmtJapan'; -our $VERSION = '0.65'; +our $VERSION = '0.66'; #------------------------------------------------------------------------------ # new (for Spreadsheet::ParseExcel::FmtJapan2) diff --git a/gdata/perl/Spreadsheet/ParseExcel/FmtUnicode.pm b/gdata/perl/Spreadsheet/ParseExcel/FmtUnicode.pm index 65c460b3e..a4513a934 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/FmtUnicode.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/FmtUnicode.pm @@ -22,7 +22,7 @@ use warnings; use Unicode::Map; use base 'Spreadsheet::ParseExcel::FmtDefault'; -our $VERSION = '0.65'; +our $VERSION = '0.66'; #------------------------------------------------------------------------------ # new (for Spreadsheet::ParseExcel::FmtUnicode) diff --git a/gdata/perl/Spreadsheet/ParseExcel/Font.pm b/gdata/perl/Spreadsheet/ParseExcel/Font.pm index d921222e7..ee528c5cc 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Font.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Font.pm @@ -19,7 +19,7 @@ package Spreadsheet::ParseExcel::Font; use strict; use warnings; -our $VERSION = '0.65'; +our $VERSION = '0.66'; sub new { my ( $class, %rhIni ) = @_; diff --git a/gdata/perl/Spreadsheet/ParseExcel/Format.pm b/gdata/perl/Spreadsheet/ParseExcel/Format.pm index 839f7218c..58c4262ee 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Format.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Format.pm @@ -19,7 +19,7 @@ package Spreadsheet::ParseExcel::Format; use strict; use warnings; -our $VERSION = '0.65'; +our $VERSION = '0.66'; sub new { my ( $class, %rhIni ) = @_; diff --git a/gdata/perl/Spreadsheet/ParseExcel/SaveParser.pm b/gdata/perl/Spreadsheet/ParseExcel/SaveParser.pm index ff0b39c33..311907dc7 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/SaveParser.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/SaveParser.pm @@ -25,7 +25,7 @@ use Spreadsheet::ParseExcel::SaveParser::Worksheet; use Spreadsheet::WriteExcel; use base 'Spreadsheet::ParseExcel'; -our $VERSION = '0.65'; +our $VERSION = '0.66'; ############################################################################### # diff --git a/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Workbook.pm b/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Workbook.pm index fa4ad180c..5c325edc5 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Workbook.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Workbook.pm @@ -20,7 +20,7 @@ use strict; use warnings; use base 'Spreadsheet::ParseExcel::Workbook'; -our $VERSION = '0.65'; +our $VERSION = '0.66'; #============================================================================== # Spreadsheet::ParseExcel::SaveParser::Workbook @@ -255,7 +255,7 @@ sub SaveAs { } } } - + my $merged_areas = $oWkS->get_merged_areas(); my $merged_areas_h = {}; if ($merged_areas) { @@ -263,7 +263,7 @@ sub SaveAs { $merged_areas_h->{$range->[0]}{$range->[1]} = $range; } } - + for ( my $iR = $oWkS->{MinRow} ; defined $oWkS->{MaxRow} && $iR <= $oWkS->{MaxRow} ; diff --git a/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Worksheet.pm b/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Worksheet.pm index 711251a65..922507128 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Worksheet.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/SaveParser/Worksheet.pm @@ -24,7 +24,7 @@ use warnings; #============================================================================== use base 'Spreadsheet::ParseExcel::Worksheet'; -our $VERSION = '0.65'; +our $VERSION = '0.66'; sub new { my ( $sClass, %rhIni ) = @_; @@ -36,7 +36,7 @@ sub new { #------------------------------------------------------------------------------ sub AddCell { my ( $oSelf, $iR, $iC, $sVal, $oCell, $sCode ) = @_; - + $oSelf->{_Book} ->AddCell( $oSelf->{_SheetNo}, $iR, $iC, $sVal, $oCell, $sCode ); } diff --git a/gdata/perl/Spreadsheet/ParseExcel/Utility.pm b/gdata/perl/Spreadsheet/ParseExcel/Utility.pm index c0c26a0a1..6730990ca 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Utility.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Utility.pm @@ -25,7 +25,7 @@ use vars qw(@ISA @EXPORT_OK); @EXPORT_OK = qw(ExcelFmt LocaltimeExcel ExcelLocaltime col2int int2col sheetRef xls2csv); -our $VERSION = '0.65'; +our $VERSION = '0.66'; my $qrNUMBER = qr/(^[+-]?\d+(\.\d+)?$)|(^[+-]?\d+\.?(\d*)[eE][+-](\d+))$/; @@ -78,10 +78,12 @@ sub ExcelFmt { $format_str = '@' if uc($format_str) eq "GENERAL"; # Check for a conditional at the start of the format. See notes above. - my $conditional; - if ( $format_str =~ /^\[([<>=][^\]]+)\](.*)$/ ) { - $conditional = $1; - $format_str = $2; + my $conditional_op; + my $conditional_value; + if ( $format_str =~ /^\[([<>=]+)([^\]]+)\](.*)$/ ) { + $conditional_op = $1; + $conditional_value = $2; + $format_str = $3; } # Ignore the underscore token which is used to indicate a padding space. @@ -166,12 +168,23 @@ sub ExcelFmt { } # Override the previous choice if the format is conditional. - if ($conditional) { - - # TODO. Replace string eval with a function. - $section = eval "$number $conditional" ? 0 : 1; + if ($conditional_op) { + if ($conditional_op eq '>') { + $section = $number > $conditional_value ? 0 : 1; + } elsif ($conditional_op eq '>=') { + $section = $number >= $conditional_value ? 0 : 1; + } elsif ($conditional_op eq '<') { + $section = $number < $conditional_value ? 0 : 1; + } elsif ($conditional_op eq '<=') { + $section = $number <= $conditional_value ? 0 : 1; + } elsif ($conditional_op eq '=') { + $section = $number == $conditional_value ? 0 : 1; + } elsif ($conditional_op eq '==') { + $section = $number == $conditional_value ? 0 : 1; + } elsif ($conditional_op eq '<>') { + $section = $number != $conditional_value ? 0 : 1; + } } - # We now have the required format. $format = $formats[$section]; diff --git a/gdata/perl/Spreadsheet/ParseExcel/Workbook.pm b/gdata/perl/Spreadsheet/ParseExcel/Workbook.pm index d5c0e4d65..a71b1e007 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Workbook.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Workbook.pm @@ -19,7 +19,7 @@ package Spreadsheet::ParseExcel::Workbook; use strict; use warnings; -our $VERSION = '0.65'; +our $VERSION = '0.66'; ############################################################################### # diff --git a/gdata/perl/Spreadsheet/ParseExcel/Worksheet.pm b/gdata/perl/Spreadsheet/ParseExcel/Worksheet.pm index 17d28de85..fcd7cbd24 100644 --- a/gdata/perl/Spreadsheet/ParseExcel/Worksheet.pm +++ b/gdata/perl/Spreadsheet/ParseExcel/Worksheet.pm @@ -20,7 +20,7 @@ use strict; use warnings; use Scalar::Util qw(weaken); -our $VERSION = '0.65'; +our $VERSION = '0.66'; ############################################################################### #