From: Yaroslav Halchenko <debian@onerussian.com>
Subject: do not resolve entities 

Adopted from upstream's commit on top of more recent release

Origin: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
Bug-Debian: http://bugs.debian.org/854442
Applied-Upstream:  2017-01-17
Last-Update: 2017-02-07

--- a/openpyxl/conftest.py
+++ b/openpyxl/conftest.py
@@ -47,4 +47,8 @@ def pytest_runtest_setup(item):
             from lxml.etree import LIBXML_VERSION
             if LIBXML_VERSION < (3, 4, 0, 0):
                 pytest.skip("LXML >= 3.4 is required")
+        elif item.get_marker("no_lxml"):
+            from openpyxl import LXML
+            if LXML:
+                pytest.skip("LXML has a different interface")
 
--- a/openpyxl/xml/functions.py
+++ b/openpyxl/xml/functions.py
@@ -21,11 +21,14 @@ if LXML is True:
     fromstring,
     tostring,
     register_namespace,
-    iterparse,
     QName,
-    xmlfile
+    xmlfile,
+    XMLParser,
     )
     from xml.etree.cElementTree import iterparse
+    # do not resolve entities
+    safe_parser = XMLParser(resolve_entities=False)
+    fromstring = partial(fromstring, parser=safe_parser)
 else:
     try:
         from xml.etree.cElementTree import (
--- a/openpyxl/xml/tests/test_functions.py
+++ b/openpyxl/xml/tests/test_functions.py
@@ -2,6 +2,7 @@ import pytest
 
 from openpyxl.xml.functions import ConditionalElement
 
+import xml
 
 @pytest.fixture
 def root():
@@ -50,3 +51,26 @@ def test_localtag(xml, tag):
     from .. functions import fromstring
     node = fromstring(xml)
     assert localname(node) == tag
+
+
+@pytest.mark.lxml_required
+def test_dont_resolve():
+    from ..functions import fromstring
+    s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "file:///dev/random" >]>
+            <foo>&xxe;</foo>"""
+    node = fromstring(s)
+
+
+@pytest.mark.no_lxml
+def test_dont_resolve():
+    from ..functions import fromstring
+    s = b"""<?xml version="1.0" encoding="ISO-8859-1"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "file:///dev/random" >]>
+            <foo>&xxe;</foo>"""
+    with pytest.raises(xml.etree.ElementTree.ParseError):
+        node = fromstring(s)
--- a/pytest.ini
+++ b/pytest.ini
@@ -9,3 +9,4 @@ markers =
     not_py33: Do not run test on Python 3.
     lxml_required: lxml required to run test
     lxml_buffering: lxml >= 3.4.0 required
+    no_lxml: do not use lxml
