[Bug 63188] Specific microsoft excel file(.xlsx) getting corrupted while manipulated using apache-poi-3.10 libraries
https://bz.apache.org/bugzilla/show_bug.cgi?id=63188 Dominik Stadler changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #6 from Dominik Stadler --- If you set minimum inflation ratio to 0, you disable the protection that we built into Apache POI. However this only poses a security threat if you process documents where you do not control the contents fully, e.g. if you allow users to upload documents that are then processed. If you do not allow that anywhere, you might be fine with setting it to 0. If you allow external uploads of documents, but you would like to process documents like the one provided, you can try using a different value for minimum inflation ratio. The default is 0.01, so you might need to experiment with smaller values, e.g. 0.001 until you can process documents, but still have some protection against document which expand too much and would use up too much memory. As this is working as expected from our point of view, I am closing this for now, please discuss on the mailing list if you have more usage questions or report new bugs if you find something not working as expected/described. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
[Bug 63188] Specific microsoft excel file(.xlsx) getting corrupted while manipulated using apache-poi-3.10 libraries
https://bz.apache.org/bugzilla/show_bug.cgi?id=63188 Sushmita Nag changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #5 from Sushmita Nag --- hi Dominik Stadler, As per your suggestion, the fix which you suggested[setting minm inflate ratio explicitly] worked and we are able to import/manipulate the .xlsx successfully using poi-3.15. However, as per poi, the file is used to inflate memory usage and thus could pose a security risk. So, explicitly disabling the validation & setting minimum inflate ratio to 0.0 - Will it expose any security risk from server safety perspective ? because then there are chances where certain files can blow up the server due to excessive memory usage. So, we are concerned about this factor. Could you please suggest us on the same ? Regards, Sushmita -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
[Bug 63188] Specific microsoft excel file(.xlsx) getting corrupted while manipulated using apache-poi-3.10 libraries
https://bz.apache.org/bugzilla/show_bug.cgi?id=63188 Dominik Stadler changed: What|Removed |Added Version|3.17-FINAL |unspecified Status|NEW |NEEDINFO --- Comment #4 from Dominik Stadler --- The file somehow triggers some security-related safeguards in the XML-Handling. If I run this with the latest version, the following is logged out if logging is turned on: java.io.IOException: Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data. This may indicate that the file is used to inflate memory usage and thus could pose a security risk. You can adjust this limit via ZipSecureFile.setMinInflateRatio() if you need to work with files which exceed this limit. Uncompressed size: 819534, Raw/compressed size: 8192, ratio: 0.009996 Limits: MIN_INFLATE_RATIO: 0.01, Entry: xl/pivotCache/pivotCacheRecords1.xml You can disable this check with the following, please try and report back here if it made it work. ZipSecureFile.setMinInflateRatio(0.0); BTW. There is a newer version 3.17 in the 3-series which contains many fixes on top of 3.15. Also the latest release is 4.0.1, if possible we suggest to upgrade to the latest version to get all new features/bugfixes and support for current technologies. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
[Bug 63188] Specific microsoft excel file(.xlsx) getting corrupted while manipulated using apache-poi-3.10 libraries
https://bz.apache.org/bugzilla/show_bug.cgi?id=63188 --- Comment #3 from Sushmita Nag --- Latest link :- https://drive.google.com/open?id=1seYe8W75wM8LWJ4-xUFSoDcpDpnofxkG -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
[Bug 63188] Specific microsoft excel file(.xlsx) getting corrupted while manipulated using apache-poi-3.10 libraries
https://bz.apache.org/bugzilla/show_bug.cgi?id=63188 Yegor Kozlov changed: What|Removed |Added Version|unspecified |3.17-FINAL OS||All Status|NEW |NEEDINFO --- Comment #1 from Yegor Kozlov --- Can you please upload a sample file and code to reproduce the issue? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
