Thanks for help Well I wonder if the sign could solve the issue
Let me explain more. The application is a internet banking system the users login and make some transaction. They should also send the list of transaction via excel. It is possible that even one of the logged in and authorized users sign this tampered file and send it to server. I check the sing, the sign is valid but still there will no way to find the file is not valid. On Wed, 27 Sept 2023, 18:42 PJ Fanning, <fannin...@yahoo.com.invalid> wrote: > I made 2 separate suggestions about signing the xlsx. > > 1. xlsx files do support file signatures. Read > https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html > > 2. You could generate a SHA checksum and send it independently of the xlsx > file and you could verify that the checksum matches the xlsx file when you > receive them. > > > > > > > On Wednesday 27 September 2023 at 16:01:13 IST, Alireza Fattahi < > afattah...@gmail.com> wrote: > > > > > > Dear Fanning, thanks for the quick reply and the perfect links to the > articles. > > As this is a production software, doing your recommendations may take some > time and effort .... and meanwhile I can't stop the service > > As a quick trick I thought about checking if the file is a valid zip or > not. Surprisingly, at least to me, the tamper file is still a valid zip and > for example 7zip can open it. > > But I mentioned that the MS Excel (version 2021) does not open thos > tampered file. An alert shows that "We found a problem with some content in > '....' Do you want us to try to recover as much as we can" . > > Well, what do you think the MS Excel does to find that this is not a valid > file ? Can you suggest an approach that I can do to at least check this > kind of tamper files, before opening it with poi ?! > > On Wed, Sep 27, 2023 at 5:45 PM PJ Fanning <fannin...@yahoo.com.invalid> > wrote: > > > I strongly recommend that you do not accept any xlsx file from an > > untrusted source. > > > > I wrote a blog about it a while ago. > > > > > > > https://medium.com/system-weakness/caveats-with-accepting-microsoft-office-file-formats-in-uploads-26be3673c330 > > > > The format is defined by Microsoft. Deal with them. If you read the > > history of POI, we all think that the Microsoft data formats are poorly > > designed. > > > > https://en.wikipedia.org/wiki/Apache_POI > > > > xlsx files do support file signatures. Read > > > https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html > > > > You could generate a SHA checksum and send it independently of the xlsx > > file and you could verify that the checksum matches the xlsx file when > you > > receive them. > > > > > > > > > > > > On Wednesday 27 September 2023 at 15:04:08 IST, Alireza Fattahi < > > afattah...@gmail.com> wrote: > > > > > > > > > > > > I am using workBook = WorkbookFactory.create(fis); to read excel files. > > > > I found something strange, I opened the file with notepad++ and added > some > > text at the end of the file and tampered it. The > > WorkbookFactory.create(fis) still works and opens the file!!! I have > > attached a sample file. > > > > Is this some built-in feature which fixes this file. > > > > I am adding screenshot of the file which I change in notepad++ > > --------------------- > > > > The source of the problem is that I get the excel file from the users > via > > upload and pass this file to WorkbookFactory. I thought that the > > WorkbookFactory checks the file validity and I was not worried about a > > hacker who tries to add some code or script and send it to me via excel. > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > >
