poi-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yegor Kozlov <yegor.koz...@dinom.ru>
Subject Re: XML processing vulnerabilities in POI
Date Mon, 14 Jan 2013 10:19:38 GMT
POI does not manipulate XML directly. On low level, it uses Apache
XmlBeans library to manipulate the OOXML formats.
Very roughly the approach is as follows:
 - at build time generate xmlbeans from the Microsoft/OASIS schema files.
 - use the generated beans in the code and do all the XML work via
high-level getters and setters.

You may want to ask the XmlBeans  project whether they address XML
vulnerabilities. AFAIK, XmlBeans does not depend on the XML parser
from JDK, instead they are using their own custom parsed called
Piccolo. This means that XML vulnerabilities published by Oracle do
not necessarily apply to XmlBeans.


On Mon, Jan 14, 2013 at 12:13 PM, Jon Gorrono <jpgorrono@ucdavis.edu> wrote:
> I'm not reporting an unpublished vulnerability ...I'd like to know if
> published certain vulnerabilities in XML processing have been
> addressed. The 'vulnerabilities' are overcome by configuration
> (features).... which may or may not be set by this project in order to
> do that.
>
> Even though they are published, the fact that a particular project
> might expose one or more my not be publicly known.  I don't want to
> break etiquette or otherwise ruin anything by spilling beans, as it
> were. It's up to the project.
>
> On Sun, Jan 13, 2013 at 11:07 PM, Yegor Kozlov <yegor.kozlov@dinom.ru> wrote:
>> Are you going to report a vulnerability or discuss whether POI is
>> secure in terms of processing XML ?
>>
>> The Apache Software Foundation strongly encourages people to report
>> security vulnerabilities to the private security mailing list first,
>> before disclosing them in a public forum.  See
>> http://www.apache.org/security/
>>
>> Yegor
>>
>> On Mon, Jan 14, 2013 at 8:46 AM, Jon Gorrono <jpgorrono@ucdavis.edu> wrote:
>>> Hello.
>>>
>>> Who can I interact with WRT mitigation of possible XML processing
>>> vulnerabilities in POI?
>>>
>>> I dont know that it is appropriate to be too specific on this list.
>>>
>>> The topic might be more appropriate for the dev list or ?
>>>
>>> Regards.
>>> --
>>> Jon Gorrono
>>> PGP Key: 0x5434509D -
>>> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
>>> http{middleware.ucdavis.edu}
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
>>> For additional commands, e-mail: user-help@poi.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
>> For additional commands, e-mail: user-help@poi.apache.org
>>
>
>
>
> --
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
> http{middleware.ucdavis.edu}
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> For additional commands, e-mail: user-help@poi.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org


Mime
View raw message