[
https://issues.apache.org/jira/browse/OFBIZ-12572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605297#comment-17605297
]
Deepak Dixit edited comment on OFBIZ-12572 at 9/15/22 12:07 PM:
----------------------------------------------------------------
Need to include following dependency as well
{code:java}
implementation 'org.apache.commons:commons-csv:1.9.0'
implementation 'org.apache.tika:tika-parser-pdf-module:2.4.1'
implementation 'org.apache.cxf:cxf-rt-frontend-jaxrs:3.5.3' {code}
After including mentioned dependency, now getting test case failure
{code:java}
org.apache.ofbiz.base.util.UtilCodecTests > testCheckStringForHtmlSafe FAILED
org.junit.ComparisonFailure at UtilCodecTests.java:104
{code}
was (Author: deepak.dixit):
Need to include following dependency as well
{code:java}
implementation 'org.apache.commons:commons-csv:1.9.0'
implementation 'org.apache.tika:tika-parser-pdf-module:2.4.1'
implementation 'org.apache.cxf:cxf-rt-frontend-jaxrs:3.5.3' {code}
After including mentioned dependency, now getting test case failure
{code:java}
org.apache.ofbiz.base.util.UtilCodecTests > testCheckStringForHtmlSafe FAILED
org.junit.ComparisonFailure at UtilCodecTests.java:104
{code}
> [SECURITY] Upgrade Tika to 2.3.0 or more
> ----------------------------------------
>
> Key: OFBIZ-12572
> URL: https://issues.apache.org/jira/browse/OFBIZ-12572
> Project: OFBiz
> Issue Type: Sub-task
> Components: content, framework/security
> Affects Versions: 18.12.06, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> Here the Tika announce:
> {quote}
> The Apache Tika project is pleased to announce the release of Apache
> Tika 2.3.0. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
> Apache Tika 2.3.0 includes several security upgrades in dependencies,
> including an upgrade to log4j2 (version 2.17.1). This release also
> includes a non-trivial upgrade to Apache POI 5.2.0 (TIKA-3164); users
> will observe significantly more logging from the POI parsers.
> Details can be found in the changes file:
> https://www.apache.org/dist/tika/2.3.0/CHANGES-2.3.0.txt
> {quote}
> We currently still use 1.28 version because since 2.1.0 Tika throws a lot of
> compile errors. I tried to use 2.3.0 and there is much work. Fortunately we
> don't rely too much on Tika.
> * In security component, only to check *.svg files in
> SecuredUpload::getMimeTypeFromFileName() and there is another final check in
> this method.
> * In content:
> DataResourceWorker.getMimeTypeWithByteBuffer::getMimeTypeWithByteBuffer
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
