poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 54764] XSSF : Vulnerable to entity expansion attack
Date Mon, 04 Aug 2014 20:51:07 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=54764

Nick Burch <apache@gagravarr.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Nick Burch <apache@gagravarr.org> ---
In r1615781 I've added a call to SystemCache.get().setSaxLoader(null) to near
the top of POIXMLDocument. This means that on XMLBeans 2.6, even without a
proper fix for XMLBEANS-512, if one file triggers the entity limit then
subsequent normal ones can still be parsed fine. (Looks to be a pretty trivial
extra overhead)

I've also bumped the default XMLBeans runtime to 2.6 (schema compiler remains
2.3 for compatibility), added notes to the changelog and site, and enabled the
unit tests which show everything behaves itself now when using the JVM-default
XML Parser and XMLBeans 2.6.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message