Author: fanningpj
Date: Wed Jul 17 14:20:27 2024
New Revision: 1919314
URL: http://svn.apache.org/viewvc?rev=1919314&view=rev
Log:
update security notes
Modified:
poi/site/publish/changes.html
poi/site/publish/components/index.html
poi/site/publish/security.html
Modified: poi/site/publish/changes.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/changes.html?rev=1919314&r1=1919313&r2=1919314&view=diff
==============================================================================
--- poi/site/publish/changes.html (original)
+++ poi/site/publish/changes.html Wed Jul 17 14:20:27 2024
@@ -231,7 +231,7 @@ document.write("Last Published: " + docu
<li>Breaking change: Some invalid content in the compressed file-formats for
xlsx/docx/pptx/... now fail parsing to prevent handling malicious input
incorrectly</li>
-<li>Upgrade saxon dependency to 12.5</li>
+<li>Upgrade commons-codec dependency to 1.17.1</li>
</ul>
<a name="Changes"></a>
Modified: poi/site/publish/components/index.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/components/index.html?rev=1919314&r1=1919313&r2=1919314&view=diff
==============================================================================
--- poi/site/publish/components/index.html (original)
+++ poi/site/publish/components/index.html Wed Jul 17 14:20:27 2024
@@ -615,7 +615,7 @@ document.write("Last Published: " + docu
<td colspan="1" rowspan="1">poi</td>
<td colspan="1" rowspan="1"><a
href="https://search.maven.org/#artifactdetails|org.apache.logging.log4j|log4j-api|2.23.1|jar">log4j
2.x</a>,
- <a
href="https://search.maven.org/#artifactdetails|commons-codec|commons-codec|1.17.0|jar">commons-codec</a>,
+ <a
href="https://search.maven.org/#artifactdetails|commons-codec|commons-codec|1.17.1|jar">commons-codec</a>,
<a
href="https://search.maven.org/#artifactdetails|org.apache.commons|commons-collections4|4.4|jar">commons-collections</a>,
<a
href="https://search.maven.org/#artifactdetails|org.apache.commons|commons-math3|3.6.1|jar">commons-math3</a>
<a
href="https://search.maven.org/#artifactdetails|commons-io|commons-io|2.16.1|jar">commons-io</a>
Modified: poi/site/publish/security.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/security.html?rev=1919314&r1=1919313&r2=1919314&view=diff
==============================================================================
--- poi/site/publish/security.html (original)
+++ poi/site/publish/security.html Wed Jul 17 14:20:27 2024
@@ -219,7 +219,7 @@ document.write("Last Published: " + docu
<strong>Expect any type of Exception when processing documents</strong>
<br>
As parsing the various formats is very complex and involved,
there are some unexpected types of
- exceptions which can be thrown. E.g. StackOverflow or many
different types of RuntimeException.
+ exceptions which can be thrown. E.g. StackOverflowError or
many different types of RuntimeException.
<br>
Make sure to have a broad catch-statement around your
document-parsing functionality and be prepared
to handle all those gracefully.
@@ -248,9 +248,20 @@ document.write("Last Published: " + docu
<li>
<strong>Consider sandboxing document-parsing</strong>
<br>
- If you operate in a highly sensitive enviornment and would
like to avoid any side effect from
+ If you operate in a highly sensitive environment and would
like to avoid any side effect from
parsing documents on your application, then consider
extracting the parsing logic into a separate
process which is configured with appropriate memory settings
and which you stop after some timeout.
+ It is a good idea to be able to auto-restart the process in
case of a crash.
+ <br>
+
+</li>
+
+<li>
+<strong>Keep up to date with releases</strong>
+<br>
+ Apache POI does occasionally issue CVEs for security issues.
There are also other bug fixes and
+ improvements in each release. Some of these fixes will be to
make POI more robust against malicious
+ inputs, even if they are not explicitly security-related.
<br>
</li>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
