This is an automated email from the ASF dual-hosted git repository. pjfanning pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/poi.git
commit 028abf64239313cbe2d3ae778dff9b009ce7db54 Author: PJ Fanning <[email protected]> AuthorDate: Fri Jun 5 17:51:20 2026 +0100 update docs --- content/encryption.html | 12 ++++++++++++ content/security.html | 11 +++++++++++ 2 files changed, 23 insertions(+) diff --git a/content/encryption.html b/content/encryption.html index a5bcc4ad6b..3c4f8e51e9 100644 --- a/content/encryption.html +++ b/content/encryption.html @@ -331,6 +331,12 @@ document.write("Last Published: " + document.lastModified); <span class="lineno"></span><span class="codebody"></span> </div> <div class="codeline"> +<span class="lineno"></span><span class="codebody">// set password before opening the file - note that this a ThreadLocal and needs to be</span> +</div> +<div class="codeline"> +<span class="lineno"></span><span class="codebody">// reset to null after text extraction</span> +</div> +<div class="codeline"> <span class="lineno"></span><span class="codebody">Biff8EncryptionKey.setCurrentUserPassword("pass");</span> </div> <div class="codeline"> @@ -353,6 +359,12 @@ document.write("Last Published: " + document.lastModified); <span class="lineno"></span><span class="codebody"></span> </div> <div class="codeline"> +<span class="lineno"></span><span class="codebody">// set password before opening the file - note that this a ThreadLocal and needs to be</span> +</div> +<div class="codeline"> +<span class="lineno"></span><span class="codebody">// reset to null after text extraction</span> +</div> +<div class="codeline"> <span class="lineno"></span><span class="codebody">Biff8EncryptionKey.setCurrentUserPassword("pass");</span> </div> <div class="codeline"> diff --git a/content/security.html b/content/security.html index 653a52d6fd..b1aa7d3510 100644 --- a/content/security.html +++ b/content/security.html @@ -279,6 +279,17 @@ document.write("Last Published: " + document.lastModified); the code. </li> +<li> +<strong>Heap Memory</strong> +<br> + Apache POI can have sensitive sensitive data from parsed or generated documents in memory. + Classes like <em>Biff8EncryptionKey</em> use ThreadLocal to store sensitive data. Users should ensure + that they clear this data as soon as possible after use. + <br> + It is strongly recommended that POI based code is not run in a JVM where untrusted users have access to + the heap memory, e.g. by using a shared hosting environment. + </li> + <li> <strong>Consider sandboxing document-parsing</strong> <br> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
