poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 58617] New: Add custom safe XmlBeans type loader / rename vendor specific schema packages
Date Mon, 16 Nov 2015 22:23:25 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=58617

            Bug ID: 58617
           Summary: Add custom safe XmlBeans type loader / rename vendor
                    specific schema packages
           Product: POI
           Version: 3.14-dev
          Hardware: All
                OS: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P2
         Component: POI Overall
          Assignee: dev@poi.apache.org
          Reporter: kiwiwings@apache.org

Currently the XmlBeans Factory methods allow parsing of raw data without safe 
limits, i.e. with XmlOption element.
To prevent future usage without the XmlOption element (as I temporarily did 
...), I thought about adding a forbidden-apis check [1],
but this is currently not possible.
So instead I've modified the ooxml-schema sources to point to a custom wrapper 
[2].
I don't think, someone uses the ooxml-schemas without POI, but in this rare 
case they would need to copy&paste [2] into their classes.

Apart of the wrapper, I've added an XsdConfig for the vendor specific schema 
extension.
The former package name was something like schemasMicrosoftComVml or 
schemasMicrosoftComOfficeOffice, ...
now they are called com.microsoft.schemas.vml or 
com.microsoft.schemas.office.office, ...
this goes better along the other similar named packages for Visio or 
encryption/signing.
There are only very few places in the code which reference VML stuff and 
therefore user code shouldn't be affected much.

If no-one objects until 22.11.15, I'll apply that patch.

Andi.

[1] https://github.com/policeman-tools/forbidden-apis/issues/88
[2] org.apache.poi.POIXMLTypeLoader

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message