I made 2 separate suggestions about signing the xlsx. 1. xlsx files do support file signatures. Read https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html
2. You could generate a SHA checksum and send it independently of the xlsx file and you could verify that the checksum matches the xlsx file when you receive them. On Wednesday 27 September 2023 at 16:01:13 IST, Alireza Fattahi <afattah...@gmail.com> wrote: Dear Fanning, thanks for the quick reply and the perfect links to the articles. As this is a production software, doing your recommendations may take some time and effort .... and meanwhile I can't stop the service As a quick trick I thought about checking if the file is a valid zip or not. Surprisingly, at least to me, the tamper file is still a valid zip and for example 7zip can open it. But I mentioned that the MS Excel (version 2021) does not open thos tampered file. An alert shows that "We found a problem with some content in '....' Do you want us to try to recover as much as we can" . Well, what do you think the MS Excel does to find that this is not a valid file ? Can you suggest an approach that I can do to at least check this kind of tamper files, before opening it with poi ?! On Wed, Sep 27, 2023 at 5:45 PM PJ Fanning <fannin...@yahoo.com.invalid> wrote: > I strongly recommend that you do not accept any xlsx file from an > untrusted source. > > I wrote a blog about it a while ago. > > > https://medium.com/system-weakness/caveats-with-accepting-microsoft-office-file-formats-in-uploads-26be3673c330 > > The format is defined by Microsoft. Deal with them. If you read the > history of POI, we all think that the Microsoft data formats are poorly > designed. > > https://en.wikipedia.org/wiki/Apache_POI > > xlsx files do support file signatures. Read > https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html > > You could generate a SHA checksum and send it independently of the xlsx > file and you could verify that the checksum matches the xlsx file when you > receive them. > > > > > > On Wednesday 27 September 2023 at 15:04:08 IST, Alireza Fattahi < > afattah...@gmail.com> wrote: > > > > > > I am using workBook = WorkbookFactory.create(fis); to read excel files. > > I found something strange, I opened the file with notepad++ and added some > text at the end of the file and tampered it. The > WorkbookFactory.create(fis) still works and opens the file!!! I have > attached a sample file. > > Is this some built-in feature which fixes this file. > > I am adding screenshot of the file which I change in notepad++ > --------------------- > > The source of the problem is that I get the excel file from the users via > upload and pass this file to WorkbookFactory. I thought that the > WorkbookFactory checks the file validity and I was not worried about a > hacker who tries to add some code or script and send it to me via excel. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
