The question to the others: This is a dependency problem and not POI's fault. We can provide a "workaround" (which introduces a security issue on those broken platforms) - this is why I raised to warning level when adding the workaround. I don't think this should hold a beta2 release, XERCES 2.6.1 is 10 (!!!) years old and was released before Java 5, which added DoucmentBuilderFactory#setFeature().
Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] > -----Original Message----- > From: Uwe Schindler [mailto:[email protected]] > Sent: Monday, August 18, 2014 6:08 PM > To: 'POI Developers List' > Subject: RE: [VOTE] Apache POI 3.11-beta2 release > > H Dominik, > > I committed the suggested fix (to both poi and poi-ooxml): > > http://svn.apache.org/r1618644 > > Please note: I raised the logging level on failure to "warning", because you > make your XML parsing vulnerable to CVE-2014-3574 and CVE-2014-3529 ! > > POI 3.10.1 should have same issue, but its less severe there, because > DocumentHelper is only used for Excel Import/Export in OOXML, not for > openxml DOMs. > Uwe > > ----- > Uwe Schindler > H.-H.-Meier-Allee 63, D-28213 Bremen > http://www.thetaphi.de > eMail: [email protected] > > > > -----Original Message----- > > From: Dominik Stadler [mailto:[email protected]] > > Sent: Monday, August 18, 2014 4:09 PM > > To: POI Developers List > > Subject: Re: [VOTE] Apache POI 3.11-beta2 release > > > > I agree that it the lib is outdated, but in my case it is pulled in by > > some other dependency down the tree, being a large project, it is hard > > to update the Xerces dependency without causing more work to update > > other dependencies that are not related to POI, thus making a simple > > update of POI rather complicated. > > > > These tests ran fine with POI 3.10 and 3.11-beta1, so we are > > introducing this incompatibility with -beta2. A fix is easy, just > > catch the AbstractMethodError in that place the same way that we already > catch Exception. > > > > So my vote is now 0, I do not vote against it, but think we should do > > this change for 3.11 final. > > > > Dominik. > > > > > > On Mon, Aug 18, 2014 at 3:03 PM, Uwe Schindler <[email protected]> > wrote: > > > Hi, > > > > > > this old Xerces version is not compliant to Java 6 as required as > > > minimum > > JVM. Since Java 1.4, the JDK requires setFeature() to be available. > > > > > > The problem you have is: Something is inserting an older version of > > > xml- > > apis.jar into the classpath or the lib/ext folder of your JDK, that > > breaks java 1.4+. > > > > > > This will also happen with the bug fix release 3.10.1. There is > > > nothing we > > can do; upgrade to newer XERCES, which is compliant to newer Java > versions. > > > > > > Uwe > > > > > > ----- > > > Uwe Schindler > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > > > eMail: [email protected] > > > > > > > > >> -----Original Message----- > > >> From: Dominik Stadler [mailto:[email protected]] > > >> Sent: Monday, August 18, 2014 2:52 PM > > >> To: POI Developers List > > >> Subject: Re: [VOTE] Apache POI 3.11-beta2 release > > >> > > >> Hi, > > >> > > >> I get the following, which looks like the change to remove dom4j is > > >> not fully working yet for some versions of Xerces XML Parser: > > >> > > >> java.lang.AbstractMethodError: > > >> > > > javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V > > >> at > > >> > > > org.apache.poi.util.DocumentHelper.trySetSAXFeature(DocumentHelper.ja > > >> v > > >> a:62) > > >> at > > org.apache.poi.util.DocumentHelper.<clinit>(DocumentHelper.java:56) > > >> at > > >> org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.m > > >> arsh > > >> allRelationshipPart(ZipPartMarshaller.java:120) > > >> at > > >> > org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:464) > > >> at > > >> > org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1425) > > >> at > org.apache.poi.POIXMLDocument.write(POIXMLDocument.java:201) > > >> at > > >> > com.xxx.diagnostics.report.excel.ExcelRenderer.reportDashboard(ExcelR > > >> ep > > >> ortRenderer.java:99) > > >> at > > >> > com.xxx.diagnostics.report.excel.ExcelRendererTest.testReportDashboar > > >> dW > > >> ithTooManyTableRowsXLSX(ExcelReportRendererTest.java:2268) > > >> > > >> This is a larger set of tests with some POI-related tests, due to > > >> other dependencies an older version of Xerces XML Parser is pulled: > > >> > > >> documentBuilderFactory is a > > >> org.apache.xerces.jaxp.DocumentBuilderFactoryImpl and not a > > >> javax.xml.parsers.DocumentBuilderFactory which is provided with Java > > itself. > > >> > > >> Test-Case is simply: > > >> > > >> @Test > > >> public void testCrash() throws IOException { > > >> System.out.println("Java: " + > > >> System.getProperty("java.version")); > > >> > > >> try (Workbook wb = new XSSFWorkbook()) { > > >> FileOutputStream out = new FileOutputStream(new > > >> File("C:\\temp\\test.xlsx")); > > >> try { > > >> wb.write(out); > > >> } finally { > > >> out.close(); > > >> } > > >> } > > >> } > > >> > > >> > > >> At least xerces-2.6.1 is not providing the "setFeature()" method, > > >> xerces-2.11 and 2.9.1 seem to have it, I did not check intermediate > > versions. > > >> > > >> I vote that we avoid this crash by either also catching the > > >> AbstractMethodError or not calling that method on older versions of > > >> Xerces that do not yet have "setFeature". Customers will run POI in > > >> all sorts of environments and thus it is likely that older versions > > >> of Xerces are still present in a number of them. > > >> > > >> Thus -1 from me unless it can be explained as being a local problem > > >> in my environment. > > >> > > >> Dominik. > > >> > > >> On Sun, Aug 17, 2014 at 11:45 PM, Andreas Beeker > > >> <[email protected]> wrote: > > >> > +1 from my side > > >> > > > >> > > > >> > ------------------------------------------------------------------- > > >> > -- To unsubscribe, e-mail: [email protected] For > > >> > additional commands, e-mail: [email protected] > > >> > > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [email protected] For additional > > >> commands, e-mail: [email protected] > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] For additional > > > commands, e-mail: [email protected] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] For additional > > commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
