This is an automated email from the ASF dual-hosted git repository.
fanningpj pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/poi.git
The following commit(s) were added to refs/heads/trunk by this push:
new eafd6c04b8 Update security.xml
eafd6c04b8 is described below
commit eafd6c04b85a760a662b0a292cbbcaa87280df6a
Author: PJ Fanning <[email protected]>
AuthorDate: Mon Feb 16 19:59:54 2026 +0100
Update security.xml
---
src/documentation/content/xdocs/security.xml | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/documentation/content/xdocs/security.xml
b/src/documentation/content/xdocs/security.xml
index 358390181e..f82065f977 100644
--- a/src/documentation/content/xdocs/security.xml
+++ b/src/documentation/content/xdocs/security.xml
@@ -86,28 +86,36 @@
and writing xlsx files - so if you are working with large xlsx
files, you should consider using the
streaming APIs.
</li>
+ <li><strong>Use of Temp Files</strong><br/>
+ Apache POI makes significant use of temporary files. You need
to ensure that the directory used
+ for temp files cannot be manipulated or even read by untrusted
users.
+ <br/>
+ <em>DefaultTempFileCreationStrategy</em> is the default
implementation but you can provide your own
+ strategy implementation. It is possible to configure POI to
avoid temp file usage in some parts of
+ the code.
+ </li>
<li><strong>Consider sandboxing document-parsing</strong><br/>
If you operate in a highly sensitive environment and would
like to avoid any side effect from
parsing documents on your application, then consider
extracting the parsing logic into a separate
process which is configured with appropriate memory settings
and which you stop after some timeout.
It is a good idea to be able to auto-restart the process in
case of a crash.
- <br />
+ <br/>
</li>
<li><strong>Keep up to date with releases</strong><br/>
Apache POI does occasionally issue CVEs for security issues.
There are also other bug fixes and
improvements in each release. Some of these fixes will be to
make POI more robust against malicious
inputs, even if they are not explicitly security-related.
- <br />
+ <br/>
</li>
<li><strong>Monitor security advisories</strong><br/>
Keep an eye on security advisories related to Apache POI. You
can find them on the
<a href="https://poi.apache.org";>POI website</a> and they are
shared on the
<a href="https://poi.apache.org/help/index.html";>POI mailing
lists</a> as well as
the <a
href="https://lists.apache.org/[email protected]";>Apache Announce
Mailing List</a>.
- <br />
+ <br/>
<a
href="https://app.opencve.io/cve/?product=poi&vendor=apache";>OpenCVE</a> is
one of a
number of services that can help you monitor CVEs for specific
products.
- <br />
+ <br/>
</li>
</ul>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
