-----Original Message-----
From: Uwe Schindler [mailto:u...@thetaphi.de]
Sent: Monday, August 18, 2014 6:08 PM
To: 'POI Developers List'
Subject: RE: [VOTE] Apache POI 3.11-beta2 release
H Dominik,
I committed the suggested fix (to both poi and poi-ooxml):
http://svn.apache.org/r1618644
Please note: I raised the logging level on failure to "warning", because you
make your XML parsing vulnerable to CVE-2014-3574 and CVE-2014-3529 !
POI 3.10.1 should have same issue, but its less severe there, because
DocumentHelper is only used for Excel Import/Export in OOXML, not for
openxml DOMs.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: u...@thetaphi.de
-----Original Message-----
From: Dominik Stadler [mailto:dominik.stad...@gmx.at]
Sent: Monday, August 18, 2014 4:09 PM
To: POI Developers List
Subject: Re: [VOTE] Apache POI 3.11-beta2 release
I agree that it the lib is outdated, but in my case it is pulled in by
some other dependency down the tree, being a large project, it is hard
to update the Xerces dependency without causing more work to update
other dependencies that are not related to POI, thus making a simple
update of POI rather complicated.
These tests ran fine with POI 3.10 and 3.11-beta1, so we are
introducing this incompatibility with -beta2. A fix is easy, just
catch the AbstractMethodError in that place the same way that we already
catch Exception.
So my vote is now 0, I do not vote against it, but think we should do
this change for 3.11 final.
Dominik.
On Mon, Aug 18, 2014 at 3:03 PM, Uwe Schindler <u...@thetaphi.de>
wrote:
Hi,
this old Xerces version is not compliant to Java 6 as required as
minimum
JVM. Since Java 1.4, the JDK requires setFeature() to be available.
The problem you have is: Something is inserting an older version of
xml-
apis.jar into the classpath or the lib/ext folder of your JDK, that
breaks java 1.4+.
This will also happen with the bug fix release 3.10.1. There is
nothing we
can do; upgrade to newer XERCES, which is compliant to newer Java
versions.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
eMail: u...@thetaphi.de
-----Original Message-----
From: Dominik Stadler [mailto:dominik.stad...@gmx.at]
Sent: Monday, August 18, 2014 2:52 PM
To: POI Developers List
Subject: Re: [VOTE] Apache POI 3.11-beta2 release
Hi,
I get the following, which looks like the change to remove dom4j is
not fully working yet for some versions of Xerces XML Parser:
java.lang.AbstractMethodError:
javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V
at
org.apache.poi.util.DocumentHelper.trySetSAXFeature(DocumentHelper.ja
v
a:62)
at
org.apache.poi.util.DocumentHelper.<clinit>(DocumentHelper.java:56)
at
org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.m
arsh
allRelationshipPart(ZipPartMarshaller.java:120)
at
org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:464)
at
org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1425)
at
org.apache.poi.POIXMLDocument.write(POIXMLDocument.java:201)
at
com.xxx.diagnostics.report.excel.ExcelRenderer.reportDashboard(ExcelR
ep
ortRenderer.java:99)
at
com.xxx.diagnostics.report.excel.ExcelRendererTest.testReportDashboar
dW
ithTooManyTableRowsXLSX(ExcelReportRendererTest.java:2268)
This is a larger set of tests with some POI-related tests, due to
other dependencies an older version of Xerces XML Parser is pulled:
documentBuilderFactory is a
org.apache.xerces.jaxp.DocumentBuilderFactoryImpl and not a
javax.xml.parsers.DocumentBuilderFactory which is provided with Java
itself.
Test-Case is simply:
@Test
public void testCrash() throws IOException {
System.out.println("Java: " +
System.getProperty("java.version"));
try (Workbook wb = new XSSFWorkbook()) {
FileOutputStream out = new FileOutputStream(new
File("C:\\temp\\test.xlsx"));
try {
wb.write(out);
} finally {
out.close();
}
}
}
At least xerces-2.6.1 is not providing the "setFeature()" method,
xerces-2.11 and 2.9.1 seem to have it, I did not check intermediate
versions.
I vote that we avoid this crash by either also catching the
AbstractMethodError or not calling that method on older versions of
Xerces that do not yet have "setFeature". Customers will run POI in
all sorts of environments and thus it is likely that older versions
of Xerces are still present in a number of them.
Thus -1 from me unless it can be explained as being a local problem
in my environment.
Dominik.
On Sun, Aug 17, 2014 at 11:45 PM, Andreas Beeker
<andreas.bee...@gmx.de> wrote:
+1 from my side
-------------------------------------------------------------------
-- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For
additional commands, e-mail: dev-h...@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional
commands, e-mail: dev-h...@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional
commands, e-mail: dev-h...@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional
commands, e-mail: dev-h...@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org
