Dear Fanning, thanks for the quick reply and the perfect links to the articles.
As this is a production software, doing your recommendations may take some time and effort .... and meanwhile I can't stop the service As a quick trick I thought about checking if the file is a valid zip or not. Surprisingly, at least to me, the tamper file is still a valid zip and for example 7zip can open it. But I mentioned that the MS Excel (version 2021) does not open thos tampered file. An alert shows that "We found a problem with some content in '....' Do you want us to try to recover as much as we can" . Well, what do you think the MS Excel does to find that this is not a valid file ? Can you suggest an approach that I can do to at least check this kind of tamper files, before opening it with poi ?! On Wed, Sep 27, 2023 at 5:45 PM PJ Fanning <fannin...@yahoo.com.invalid> wrote: > I strongly recommend that you do not accept any xlsx file from an > untrusted source. > > I wrote a blog about it a while ago. > > > https://medium.com/system-weakness/caveats-with-accepting-microsoft-office-file-formats-in-uploads-26be3673c330 > > The format is defined by Microsoft. Deal with them. If you read the > history of POI, we all think that the Microsoft data formats are poorly > designed. > > https://en.wikipedia.org/wiki/Apache_POI > > xlsx files do support file signatures. Read > https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html > > You could generate a SHA checksum and send it independently of the xlsx > file and you could verify that the checksum matches the xlsx file when you > receive them. > > > > > > On Wednesday 27 September 2023 at 15:04:08 IST, Alireza Fattahi < > afattah...@gmail.com> wrote: > > > > > > I am using workBook = WorkbookFactory.create(fis); to read excel files. > > I found something strange, I opened the file with notepad++ and added some > text at the end of the file and tampered it. The > WorkbookFactory.create(fis) still works and opens the file!!! I have > attached a sample file. > > Is this some built-in feature which fixes this file. > > I am adding screenshot of the file which I change in notepad++ > --------------------- > > The source of the problem is that I get the excel file from the users via > upload and pass this file to WorkbookFactory. I thought that the > WorkbookFactory checks the file validity and I was not worried about a > hacker who tries to add some code or script and send it to me via excel. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > >
