Thanks 🙏🙏 On Wed, 27 Sept 2023, 20:25 PJ Fanning, <fannin...@yahoo.com.invalid> wrote:
> I hope you can take this constructively. I think using Excel like this is > a bad choice and very insecure. > > If this was my problem I would write a UI application of my own so that I > could apply end to end authentication and authorization. > > I strongly suggest that you share no more details about your application > online. What you have already disclosed on a public email forum is enough > information for a malicious user to get started on cracking your security. > > > > > > > On Wednesday 27 September 2023 at 17:44:38 IST, Alireza Fattahi < > afattah...@gmail.com> wrote: > > > > > > Thanks for help > > Well I wonder if the sign could solve the issue > > Let me explain more. The application is a internet banking system the users > login and make some transaction. They should also send the list of > transaction via excel. > > It is possible that even one of the logged in and authorized users sign > this tampered file and send it to server. I check the sing, the sign is > valid but still there will no way to find the file is not valid. > > On Wed, 27 Sept 2023, 18:42 PJ Fanning, <fannin...@yahoo.com.invalid> > wrote: > > > I made 2 separate suggestions about signing the xlsx. > > > > 1. xlsx files do support file signatures. Read > > > https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html > > > > 2. You could generate a SHA checksum and send it independently of the > xlsx > > file and you could verify that the checksum matches the xlsx file when > you > > receive them. > > > > > > > > > > > > > > On Wednesday 27 September 2023 at 16:01:13 IST, Alireza Fattahi < > > afattah...@gmail.com> wrote: > > > > > > > > > > > > Dear Fanning, thanks for the quick reply and the perfect links to the > > articles. > > > > As this is a production software, doing your recommendations may take > some > > time and effort .... and meanwhile I can't stop the service > > > > As a quick trick I thought about checking if the file is a valid zip or > > not. Surprisingly, at least to me, the tamper file is still a valid zip > and > > for example 7zip can open it. > > > > But I mentioned that the MS Excel (version 2021) does not open thos > > tampered file. An alert shows that "We found a problem with some content > in > > '....' Do you want us to try to recover as much as we can" . > > > > Well, what do you think the MS Excel does to find that this is not a > valid > > file ? Can you suggest an approach that I can do to at least check this > > kind of tamper files, before opening it with poi ?! > > > > On Wed, Sep 27, 2023 at 5:45 PM PJ Fanning <fannin...@yahoo.com.invalid> > > wrote: > > > > > I strongly recommend that you do not accept any xlsx file from an > > > untrusted source. > > > > > > I wrote a blog about it a while ago. > > > > > > > > > > > > https://medium.com/system-weakness/caveats-with-accepting-microsoft-office-file-formats-in-uploads-26be3673c330 > > > > > > The format is defined by Microsoft. Deal with them. If you read the > > > history of POI, we all think that the Microsoft data formats are poorly > > > designed. > > > > > > https://en.wikipedia.org/wiki/Apache_POI > > > > > > xlsx files do support file signatures. Read > > > > > > https://poi.apache.org/apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureInfo.html > > > > > > You could generate a SHA checksum and send it independently of the xlsx > > > file and you could verify that the checksum matches the xlsx file when > > you > > > receive them. > > > > > > > > > > > > > > > > > > On Wednesday 27 September 2023 at 15:04:08 IST, Alireza Fattahi < > > > afattah...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > I am using workBook = WorkbookFactory.create(fis); to read excel files. > > > > > > I found something strange, I opened the file with notepad++ and added > > some > > > text at the end of the file and tampered it. The > > > WorkbookFactory.create(fis) still works and opens the file!!! I have > > > attached a sample file. > > > > > > Is this some built-in feature which fixes this file. > > > > > > I am adding screenshot of the file which I change in notepad++ > > > --------------------- > > > > > > The source of the problem is that I get the excel file from the users > > via > > > upload and pass this file to WorkbookFactory. I thought that the > > > WorkbookFactory checks the file validity and I was not worried about a > > > hacker who tries to add some code or script and send it to me via > excel. > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > >
