XmlWriter Vulnerability

See issue PHPOffice#2081. This will need to be redone for Php8.5.

Author: oleibman

samples/Sample_47_RTLTitles.php

@@ -17,7 +17,6 @@
 
 // Define styles for headers
 $phpWord->addTitleStyle(1, ['bold' => true, 'name' => 'Arial', 'size' => 16], []);
-//var_dump($x);
 $phpWord->addTitleStyle(2, ['bold' => true, 'name' => 'Arial', 'size' => 14], []);
 $phpWord->addTitleStyle(3, ['bold' => true, 'name' => 'Arial', 'size' => 12], []);
 $phpWord->addTitleStyle(4, ['bold' => true, 'name' => 'Arial', 'size' => 10], []);

src/PhpWord/Shared/XMLWriter.php

@@ -18,7 +18,7 @@
 
 namespace PhpOffice\PhpWord\Shared;
 
-use Exception;
+use PhpOffice\PhpWord\Exception\Exception as WordException;
 
 /**
  * XMLWriter.
@@ -90,9 +90,14 @@ public function __destruct()
         if (empty($this->tempFileName)) {
             return;
         }
-        if (PHP_OS != 'WINNT' && @unlink($this->tempFileName) === false) {
-            throw new Exception('The file ' . $this->tempFileName . ' could not be deleted.');
-        }
+        @unlink($this->tempFileName);
+    }
+
+    public function __wakeup(): void
+    {
+        $this->tempFileName = '';
+
+        throw new WordException('Unserialize not permitted');
     }
 
     /**

tests/PhpWordTests/Shared/XMLWriterTest.php

@@ -18,6 +18,7 @@
 
 namespace PhpOffice\PhpWordTests\Shared;
 
+use PhpOffice\PhpWord\Exception\Exception as WordException;
 use PhpOffice\PhpWord\Shared\XMLWriter;
 
 /**
@@ -71,4 +72,12 @@ public function testWriteAttributeShouldWriteFloatValueLocaleIndependent(): void
 
         setlocale(LC_NUMERIC, $currentLocale);
     }
+
+    public function testNoUnserialize(): void
+    {
+        $this->expectException(WordException::class);
+        $this->expectExceptionMessage('Unserialize not permitted');
+        $xmlWriter = new XMLWriter();
+        unserialize(serialize($xmlWriter));
+    }
 }