poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 54764] XSSF : Vulnerable to entity expansion attack
Date Wed, 03 Apr 2013 21:30:53 GMT

--- Comment #3 from Phil Persad <philip.persad@gmail.com> ---
After looking into the issue more closely (while trying to safely parse docx
files), I found that the openxml4j code does not pre-parse as many of the
various .xml files in a .docx as they do in a .xlsx.  As a result, even if
openxml4j is parsing securely, an xml bomb can still sneak past un-parsed and
blow up in the XWPFDocument construction.

In the end a simpler solution was to implement pre-parsing of all the xml
documents in the docx zip stream with a securely configured parser in the
calling application.

I'm not too thrilled with the performance implications, but a node failing due
to a bad XML file in an openXML doc is the worst case and worth the performance
hit to avoid.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

View raw message