poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: [VOTE] Apache POI 3.11-beta2 release
Date Mon, 18 Aug 2014 16:30:13 GMT
Hi,

I will add a line to the 3.10.1 release notes in a moment, which is already on Maven Central
and most mirrors.

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: David kerber [mailto:dckerber@verizon.net]
> Sent: Monday, August 18, 2014 6:27 PM
> To: POI Developers List
> Subject: Re: [VOTE] Apache POI 3.11-beta2 release
> 
> I would vote to stick to your guns on the pre-requisites, and let it fail if the
> user's environment doesn't meet the requirements.
> 
> Maybe put something in the release notes about this so they know what's
> going on when they hit this issue.
> 
> 
> 
> On 8/18/2014 12:18 PM, Uwe Schindler wrote:
> > The question to the others:
> >
> > This is a dependency problem and not POI's fault. We can provide a
> "workaround" (which introduces a security issue on those broken platforms)
> - this is why I raised to warning level when adding the workaround.
> > I don't think this should hold a beta2 release, XERCES 2.6.1 is 10 (!!!) years
> old and was released before Java 5, which added
> DoucmentBuilderFactory#setFeature().
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> >> -----Original Message-----
> >> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> >> Sent: Monday, August 18, 2014 6:08 PM
> >> To: 'POI Developers List'
> >> Subject: RE: [VOTE] Apache POI 3.11-beta2 release
> >>
> >> H Dominik,
> >>
> >> I committed the suggested fix (to both poi and poi-ooxml):
> >>
> >> http://svn.apache.org/r1618644
> >>
> >> Please note: I raised the logging level on failure to "warning", because you
> >> make your XML parsing vulnerable to CVE-2014-3574 and CVE-2014-3529 !
> >>
> >> POI 3.10.1 should have same issue, but its less severe there, because
> >> DocumentHelper is only used for Excel Import/Export in OOXML, not for
> >> openxml DOMs.
> >> Uwe
> >>
> >> -----
> >> Uwe Schindler
> >> H.-H.-Meier-Allee 63, D-28213 Bremen
> >> http://www.thetaphi.de
> >> eMail: uwe@thetaphi.de
> >>
> >>
> >>> -----Original Message-----
> >>> From: Dominik Stadler [mailto:dominik.stadler@gmx.at]
> >>> Sent: Monday, August 18, 2014 4:09 PM
> >>> To: POI Developers List
> >>> Subject: Re: [VOTE] Apache POI 3.11-beta2 release
> >>>
> >>> I agree that it the lib is outdated, but in my case it is pulled in by
> >>> some other dependency down the tree, being a large project, it is hard
> >>> to update the Xerces dependency without causing more work to update
> >>> other dependencies that are not related to POI, thus making a simple
> >>> update of POI rather complicated.
> >>>
> >>> These tests ran fine with POI 3.10 and 3.11-beta1, so we are
> >>> introducing this incompatibility with -beta2. A fix is easy, just
> >>> catch the AbstractMethodError in that place the same way that we
> already
> >> catch Exception.
> >>>
> >>> So my vote is now 0, I do not vote against it, but think we should do
> >>> this change for 3.11 final.
> >>>
> >>> Dominik.
> >>>
> >>>
> >>> On Mon, Aug 18, 2014 at 3:03 PM, Uwe Schindler <uwe@thetaphi.de>
> >> wrote:
> >>>> Hi,
> >>>>
> >>>> this old Xerces version is not compliant to Java 6 as required as
> >>>> minimum
> >>> JVM. Since Java 1.4, the JDK requires setFeature() to be available.
> >>>>
> >>>> The problem you have is: Something is inserting an older version of
> >>>> xml-
> >>> apis.jar into the classpath or the lib/ext folder of your JDK, that
> >>> breaks java 1.4+.
> >>>>
> >>>> This will also happen with the bug fix release 3.10.1. There is
> >>>> nothing we
> >>> can do; upgrade to newer XERCES, which is compliant to newer Java
> >> versions.
> >>>>
> >>>> Uwe
> >>>>
> >>>> -----
> >>>> Uwe Schindler
> >>>> H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> >>>> eMail: uwe@thetaphi.de
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Dominik Stadler [mailto:dominik.stadler@gmx.at]
> >>>>> Sent: Monday, August 18, 2014 2:52 PM
> >>>>> To: POI Developers List
> >>>>> Subject: Re: [VOTE] Apache POI 3.11-beta2 release
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I get the following, which looks like the change to remove dom4j
is
> >>>>> not fully working yet for some versions of Xerces XML Parser:
> >>>>>
> >>>>> java.lang.AbstractMethodError:
> >>>>>
> >>>
> >>
> javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V
> >>>>>      at
> >>>>>
> >>>
> >>
> org.apache.poi.util.DocumentHelper.trySetSAXFeature(DocumentHelper.ja
> >>>>> v
> >>>>> a:62)
> >>>>>      at
> >>> org.apache.poi.util.DocumentHelper.<clinit>(DocumentHelper.java:56)
> >>>>>      at
> >>>>>
> org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.m
> >>>>> arsh
> >>>>> allRelationshipPart(ZipPartMarshaller.java:120)
> >>>>>      at
> >>>>>
> >> org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:464)
> >>>>>      at
> >>>>>
> >> org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1425)
> >>>>>      at
> >> org.apache.poi.POIXMLDocument.write(POIXMLDocument.java:201)
> >>>>>      at
> >>>>>
> >> com.xxx.diagnostics.report.excel.ExcelRenderer.reportDashboard(ExcelR
> >>>>> ep
> >>>>> ortRenderer.java:99)
> >>>>>      at
> >>>>>
> >> com.xxx.diagnostics.report.excel.ExcelRendererTest.testReportDashboar
> >>>>> dW
> >>>>> ithTooManyTableRowsXLSX(ExcelReportRendererTest.java:2268)
> >>>>>
> >>>>> This is a larger set of tests with some POI-related tests, due to
> >>>>> other dependencies an older version of Xerces XML Parser is pulled:
> >>>>>
> >>>>> documentBuilderFactory is a
> >>>>> org.apache.xerces.jaxp.DocumentBuilderFactoryImpl and not a
> >>>>> javax.xml.parsers.DocumentBuilderFactory which is provided with
> Java
> >>> itself.
> >>>>>
> >>>>> Test-Case is simply:
> >>>>>
> >>>>>      @Test
> >>>>>      public void testCrash() throws IOException {
> >>>>>          System.out.println("Java: " +
> >>>>> System.getProperty("java.version"));
> >>>>>
> >>>>>          try (Workbook wb = new XSSFWorkbook()) {
> >>>>>              FileOutputStream out = new FileOutputStream(new
> >>>>> File("C:\\temp\\test.xlsx"));
> >>>>>              try {
> >>>>>                  wb.write(out);
> >>>>>              } finally {
> >>>>>                  out.close();
> >>>>>              }
> >>>>>          }
> >>>>>      }
> >>>>>
> >>>>>
> >>>>> At least xerces-2.6.1 is not providing the "setFeature()" method,
> >>>>> xerces-2.11 and 2.9.1 seem to have it, I did not check intermediate
> >>> versions.
> >>>>>
> >>>>> I vote that we avoid this crash by either also catching the
> >>>>> AbstractMethodError or not calling that method on older versions
of
> >>>>> Xerces that do not yet have "setFeature". Customers will run POI
in
> >>>>> all sorts of environments and thus it is likely that older versions
> >>>>> of Xerces are still present in a number of them.
> >>>>>
> >>>>> Thus -1 from me unless it can be explained as being a local problem
> >>>>> in my environment.
> >>>>>
> >>>>> Dominik.
> >>>>>
> >>>>> On Sun, Aug 17, 2014 at 11:45 PM, Andreas Beeker
> >>>>> <andreas.beeker@gmx.de> wrote:
> >>>>>> +1 from my side
> >>>>>>
> >>>>>>
> >>>>>> -------------------------------------------------------------------
> >>>>>> -- To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org For
> >>>>>> additional commands, e-mail: dev-help@poi.apache.org
> >>>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org For
> additional
> >>>>> commands, e-mail: dev-help@poi.apache.org
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org For
> additional
> >>>> commands, e-mail: dev-help@poi.apache.org
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org For additional
> >>> commands, e-mail: dev-help@poi.apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> >> For additional commands, e-mail: dev-help@poi.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> > For additional commands, e-mail: dev-help@poi.apache.org
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message