I'm not sure why the old xerces-2.6.1 jar was added to build.xml - It is downloaded but not included in any classpath, and does not seem to be tested anywhere.
Also new in build.xml is a new "additionaljar" property that is referenced from a few places but is not defined anywhere. Was this supposed to test ad-hoc the old jar with the new warning in the xml/sax/document helper classes? It's not very clear from the file itself, and I don't think the build.xml file should provide a mechanism for testing 10 y/o jars that might or might have not been placed in the classpath. This is not a POI issue, as the old Xerces parser cannot be used with Java 5+ JAXP per the specs. It might be partially compatible, but I don't think we should give it any attention other than the clear warning at runtime and the clear line in the docs - those are more than sufficient. -----Original Message----- From: Uwe Schindler [mailto:u...@thetaphi.de] Sent: Monday, August 18, 2014 19:30 To: 'POI Developers List' Subject: RE: [VOTE] Apache POI 3.11-beta2 release Hi, I will add a line to the 3.10.1 release notes in a moment, which is already on Maven Central and most mirrors. Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -----Original Message----- > From: David kerber [mailto:dcker...@verizon.net] > Sent: Monday, August 18, 2014 6:27 PM > To: POI Developers List > Subject: Re: [VOTE] Apache POI 3.11-beta2 release > > I would vote to stick to your guns on the pre-requisites, and let it > fail if the user's environment doesn't meet the requirements. > > Maybe put something in the release notes about this so they know > what's going on when they hit this issue. > > > > On 8/18/2014 12:18 PM, Uwe Schindler wrote: > > The question to the others: > > > > This is a dependency problem and not POI's fault. We can provide a > "workaround" (which introduces a security issue on those broken > platforms) > - this is why I raised to warning level when adding the workaround. > > I don't think this should hold a beta2 release, XERCES 2.6.1 is 10 > > (!!!) years > old and was released before Java 5, which added > DoucmentBuilderFactory#setFeature(). > > > > Uwe > > > > ----- > > Uwe Schindler > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > > eMail: u...@thetaphi.de > > > > > >> -----Original Message----- > >> From: Uwe Schindler [mailto:u...@thetaphi.de] > >> Sent: Monday, August 18, 2014 6:08 PM > >> To: 'POI Developers List' > >> Subject: RE: [VOTE] Apache POI 3.11-beta2 release > >> > >> H Dominik, > >> > >> I committed the suggested fix (to both poi and poi-ooxml): > >> > >> http://svn.apache.org/r1618644 > >> > >> Please note: I raised the logging level on failure to "warning", > >> because you > >> make your XML parsing vulnerable to CVE-2014-3574 and CVE-2014-3529 ! > >> > >> POI 3.10.1 should have same issue, but its less severe there, because > >> DocumentHelper is only used for Excel Import/Export in OOXML, not for > >> openxml DOMs. > >> Uwe > >> > >> ----- > >> Uwe Schindler > >> H.-H.-Meier-Allee 63, D-28213 Bremen > >> http://www.thetaphi.de > >> eMail: u...@thetaphi.de > >> > >> > >>> -----Original Message----- > >>> From: Dominik Stadler [mailto:dominik.stad...@gmx.at] > >>> Sent: Monday, August 18, 2014 4:09 PM > >>> To: POI Developers List > >>> Subject: Re: [VOTE] Apache POI 3.11-beta2 release > >>> > >>> I agree that it the lib is outdated, but in my case it is pulled in by > >>> some other dependency down the tree, being a large project, it is hard > >>> to update the Xerces dependency without causing more work to update > >>> other dependencies that are not related to POI, thus making a simple > >>> update of POI rather complicated. > >>> > >>> These tests ran fine with POI 3.10 and 3.11-beta1, so we are > >>> introducing this incompatibility with -beta2. A fix is easy, just > >>> catch the AbstractMethodError in that place the same way that we > already > >> catch Exception. > >>> > >>> So my vote is now 0, I do not vote against it, but think we should do > >>> this change for 3.11 final. > >>> > >>> Dominik. > >>> > >>> > >>> On Mon, Aug 18, 2014 at 3:03 PM, Uwe Schindler <u...@thetaphi.de> > >> wrote: > >>>> Hi, > >>>> > >>>> this old Xerces version is not compliant to Java 6 as required as > >>>> minimum > >>> JVM. Since Java 1.4, the JDK requires setFeature() to be available. > >>>> > >>>> The problem you have is: Something is inserting an older version of > >>>> xml- > >>> apis.jar into the classpath or the lib/ext folder of your JDK, that > >>> breaks java 1.4+. > >>>> > >>>> This will also happen with the bug fix release 3.10.1. There is > >>>> nothing we > >>> can do; upgrade to newer XERCES, which is compliant to newer Java > >> versions. > >>>> > >>>> Uwe > >>>> > >>>> ----- > >>>> Uwe Schindler > >>>> H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de > >>>> eMail: u...@thetaphi.de > >>>> > >>>> > >>>>> -----Original Message----- > >>>>> From: Dominik Stadler [mailto:dominik.stad...@gmx.at] > >>>>> Sent: Monday, August 18, 2014 2:52 PM > >>>>> To: POI Developers List > >>>>> Subject: Re: [VOTE] Apache POI 3.11-beta2 release > >>>>> > >>>>> Hi, > >>>>> > >>>>> I get the following, which looks like the change to remove dom4j is > >>>>> not fully working yet for some versions of Xerces XML Parser: > >>>>> > >>>>> java.lang.AbstractMethodError: > >>>>> > >>> > >> > javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V > >>>>> at > >>>>> > >>> > >> > org.apache.poi.util.DocumentHelper.trySetSAXFeature(DocumentHelper.ja > >>>>> v > >>>>> a:62) > >>>>> at > >>> org.apache.poi.util.DocumentHelper.<clinit>(DocumentHelper.java:56) > >>>>> at > >>>>> > org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.m > >>>>> arsh > >>>>> allRelationshipPart(ZipPartMarshaller.java:120) > >>>>> at > >>>>> > >> org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:464) > >>>>> at > >>>>> > >> org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1425) > >>>>> at > >> org.apache.poi.POIXMLDocument.write(POIXMLDocument.java:201) > >>>>> at > >>>>> > >> com.xxx.diagnostics.report.excel.ExcelRenderer.reportDashboard(ExcelR > >>>>> ep > >>>>> ortRenderer.java:99) > >>>>> at > >>>>> > >> com.xxx.diagnostics.report.excel.ExcelRendererTest.testReportDashboar > >>>>> dW > >>>>> ithTooManyTableRowsXLSX(ExcelReportRendererTest.java:2268) > >>>>> > >>>>> This is a larger set of tests with some POI-related tests, due to > >>>>> other dependencies an older version of Xerces XML Parser is pulled: > >>>>> > >>>>> documentBuilderFactory is a > >>>>> org.apache.xerces.jaxp.DocumentBuilderFactoryImpl and not a > >>>>> javax.xml.parsers.DocumentBuilderFactory which is provided with > Java > >>> itself. > >>>>> > >>>>> Test-Case is simply: > >>>>> > >>>>> @Test > >>>>> public void testCrash() throws IOException { > >>>>> System.out.println("Java: " + > >>>>> System.getProperty("java.version")); > >>>>> > >>>>> try (Workbook wb = new XSSFWorkbook()) { > >>>>> FileOutputStream out = new FileOutputStream(new > >>>>> File("C:\\temp\\test.xlsx")); > >>>>> try { > >>>>> wb.write(out); > >>>>> } finally { > >>>>> out.close(); > >>>>> } > >>>>> } > >>>>> } > >>>>> > >>>>> > >>>>> At least xerces-2.6.1 is not providing the "setFeature()" method, > >>>>> xerces-2.11 and 2.9.1 seem to have it, I did not check intermediate > >>> versions. > >>>>> > >>>>> I vote that we avoid this crash by either also catching the > >>>>> AbstractMethodError or not calling that method on older versions of > >>>>> Xerces that do not yet have "setFeature". Customers will run POI in > >>>>> all sorts of environments and thus it is likely that older versions > >>>>> of Xerces are still present in a number of them. > >>>>> > >>>>> Thus -1 from me unless it can be explained as being a local problem > >>>>> in my environment. > >>>>> > >>>>> Dominik. > >>>>> > >>>>> On Sun, Aug 17, 2014 at 11:45 PM, Andreas Beeker > >>>>> <andreas.bee...@gmx.de> wrote: > >>>>>> +1 from my side > >>>>>> > >>>>>> > >>>>>> ------------------------------------------------------------------- > >>>>>> -- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For > >>>>>> additional commands, e-mail: dev-h...@poi.apache.org > >>>>>> > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For > additional > >>>>> commands, e-mail: dev-h...@poi.apache.org > >>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For > additional > >>>> commands, e-mail: dev-h...@poi.apache.org > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional > >>> commands, e-mail: dev-h...@poi.apache.org > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > >> For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
