OK, I'll check with xmlbeans ... hopefully they won't punt back citing user-configuration options.
Regards and thanks Jp On Mon, Jan 14, 2013 at 2:19 AM, Yegor Kozlov <[email protected]> wrote: > POI does not manipulate XML directly. On low level, it uses Apache > XmlBeans library to manipulate the OOXML formats. > Very roughly the approach is as follows: > - at build time generate xmlbeans from the Microsoft/OASIS schema files. > - use the generated beans in the code and do all the XML work via > high-level getters and setters. > > You may want to ask the XmlBeans project whether they address XML > vulnerabilities. AFAIK, XmlBeans does not depend on the XML parser > from JDK, instead they are using their own custom parsed called > Piccolo. This means that XML vulnerabilities published by Oracle do > not necessarily apply to XmlBeans. > > > On Mon, Jan 14, 2013 at 12:13 PM, Jon Gorrono <[email protected]> wrote: >> I'm not reporting an unpublished vulnerability ...I'd like to know if >> published certain vulnerabilities in XML processing have been >> addressed. The 'vulnerabilities' are overcome by configuration >> (features).... which may or may not be set by this project in order to >> do that. >> >> Even though they are published, the fact that a particular project >> might expose one or more my not be publicly known. I don't want to >> break etiquette or otherwise ruin anything by spilling beans, as it >> were. It's up to the project. >> >> On Sun, Jan 13, 2013 at 11:07 PM, Yegor Kozlov <[email protected]> wrote: >>> Are you going to report a vulnerability or discuss whether POI is >>> secure in terms of processing XML ? >>> >>> The Apache Software Foundation strongly encourages people to report >>> security vulnerabilities to the private security mailing list first, >>> before disclosing them in a public forum. See >>> http://www.apache.org/security/ >>> >>> Yegor >>> >>> On Mon, Jan 14, 2013 at 8:46 AM, Jon Gorrono <[email protected]> wrote: >>>> Hello. >>>> >>>> Who can I interact with WRT mitigation of possible XML processing >>>> vulnerabilities in POI? >>>> >>>> I dont know that it is appropriate to be too specific on this list. >>>> >>>> The topic might be more appropriate for the dev list or ? >>>> >>>> Regards. >>>> -- >>>> Jon Gorrono >>>> PGP Key: 0x5434509D - >>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >>>> http{middleware.ucdavis.edu} >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> >> >> -- >> Jon Gorrono >> PGP Key: 0x5434509D - >> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >> http{middleware.ucdavis.edu} >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
