pjfanning commented on PR #1113: URL: https://github.com/apache/poi/pull/1113#issuecomment-4621023237
I must admit that I'm getting very bored of PRs that apply these limits. POI is over 20 years old and has a lot of code. It was not originally written with security in mind. It is a free convenience library. This new code - all it does is switch from one type of exception to a different type of exception. So unprotected code might throw an Array Index exception or even OutOfMemoryException. Parse enough documents in parallel and you can still get OutOfMemoryExceptions. https://poi.apache.org/security.html warns that you should never parse untrusted documents with POI. We are introducing new problems with this code. The limits might be too low for some reasonable files. We now have dozens of different limits and the exceptions raised don't tell you what method to use to raise the limit. Even if we add some new tests, we are not getting 100% test coverage or even close to that number. I'm thinking of raising a general discussion among the POI volunteers about just giving up on this sort of work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
