This is an automated email from the ASF dual-hosted git repository.

pjfanning pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/poi.git

commit 028abf64239313cbe2d3ae778dff9b009ce7db54
Author: PJ Fanning <[email protected]>
AuthorDate: Fri Jun 5 17:51:20 2026 +0100

    update docs
---
 content/encryption.html | 12 ++++++++++++
 content/security.html   | 11 +++++++++++
 2 files changed, 23 insertions(+)

diff --git a/content/encryption.html b/content/encryption.html
index a5bcc4ad6b..3c4f8e51e9 100644
--- a/content/encryption.html
+++ b/content/encryption.html
@@ -331,6 +331,12 @@ document.write("Last Published: " + document.lastModified);
 <span class="lineno"></span><span class="codebody"></span>
 </div>
 <div class="codeline">
+<span class="lineno"></span><span class="codebody">// set password before 
opening the file - note that this a ThreadLocal and needs to be</span>
+</div>
+<div class="codeline">
+<span class="lineno"></span><span class="codebody">// reset to null after text 
extraction</span>
+</div>
+<div class="codeline">
 <span class="lineno"></span><span 
class="codebody">Biff8EncryptionKey.setCurrentUserPassword("pass");</span>
 </div>
 <div class="codeline">
@@ -353,6 +359,12 @@ document.write("Last Published: " + document.lastModified);
 <span class="lineno"></span><span class="codebody"></span>
 </div>
 <div class="codeline">
+<span class="lineno"></span><span class="codebody">// set password before 
opening the file - note that this a ThreadLocal and needs to be</span>
+</div>
+<div class="codeline">
+<span class="lineno"></span><span class="codebody">// reset to null after text 
extraction</span>
+</div>
+<div class="codeline">
 <span class="lineno"></span><span 
class="codebody">Biff8EncryptionKey.setCurrentUserPassword("pass");</span>
 </div>
 <div class="codeline">
diff --git a/content/security.html b/content/security.html
index 653a52d6fd..b1aa7d3510 100644
--- a/content/security.html
+++ b/content/security.html
@@ -279,6 +279,17 @@ document.write("Last Published: " + document.lastModified);
                 the code.
             </li>
             
+<li>
+<strong>Heap Memory</strong>
+<br>
+                Apache POI can have sensitive sensitive data from parsed or 
generated documents in memory.
+                Classes like <em>Biff8EncryptionKey</em> use ThreadLocal to 
store sensitive data. Users should ensure
+                that they clear this data as soon as possible after use.
+                <br>
+                It is strongly recommended that POI based code is not run in a 
JVM where untrusted users have access to
+                the heap memory, e.g. by using a shared hosting environment.
+            </li>
+            
 <li>
 <strong>Consider sandboxing document-parsing</strong>
 <br>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to