Author: centic
Date: Sun Oct 22 10:17:04 2023
New Revision: 1913196
URL: http://svn.apache.org/viewvc?rev=1913196&view=rev
Log:
Add new section "secure processing"
This tries to provide some basic instructions related to secure processing when
using Apache POI
Also apply some missing changes from .xml files
Added:
poi/site/publish/security.html
poi/site/src/documentation/content/xdocs/security.xml
Modified:
poi/site/publish/casestudies.html
poi/site/publish/changes.html
poi/site/publish/components/index.html
poi/site/publish/components/poi-jvm-languages.html
poi/site/publish/components/poi-ruby.html
poi/site/publish/components/spreadsheet/diagram1.html
poi/site/publish/download.html
poi/site/publish/encryption.html
poi/site/publish/index.html
poi/site/publish/legal.html
poi/site/publish/linkmap.html
poi/site/publish/related-projects.html
poi/site/publish/text-extraction.html
poi/site/src/documentation/content/xdocs/changes.xml
poi/site/src/documentation/content/xdocs/site.xml
Modified: poi/site/publish/casestudies.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/casestudies.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/casestudies.html (original)
+++ poi/site/publish/casestudies.html Sun Oct 22 10:17:04 2023
@@ -125,6 +125,9 @@ document.write("Last Published: " + docu
<div class="menuitem">
<a href="encryption.html">Encryption support</a>
</div>
+<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
<div class="menupage">
<div class="menupagetitle">Case Studies</div>
</div>
Modified: poi/site/publish/changes.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/changes.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/changes.html (original)
+++ poi/site/publish/changes.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
@@ -214,6 +217,58 @@ document.write("Last Published: " + docu
</p>
</div>
+
+<a name="5.2.5"></a>
+<h2 class="boxed">Version
+ 5.2.5 (2023-11-??)
+ </h2>
+<div class="section">
+<a name="Summary"></a>
+<h3 class="boxed">Summary</h3>
+<ul>
+
+<li>Upgrade commons-io dependency to 2.14.0</li>
+
+<li>Upgrade log4j-api dependency to 2.21.0</li>
+
+<li>Upgrade xmlsec dependency to 3.0.3</li>
+
+</ul>
+<a name="Changes"></a>
+<h3 class="boxed">Changes</h3>
+<table class="POITable">
+<colgroup>
+<col width="100">
+<col width="200">
+<col width="150">
+<col>
+</colgroup>
+<thead>
+<tr>
+<th>Type</th><th>Bug</th><th>Module</th><th>Description</th>
+</tr>
+</thead>
+<tbody>
+
+<tr class="action">
+<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=67475";>67475</a></td><td>SS_Common</td><td>Better
support for edge cases in TEXT function</td>
+</tr>
+
+<tr class="action">
+<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=67579";>67579</a></td><td>OOXML</td><td>fix
regression in POI 5.2.4 which leads to POI closing user provided
InputStreams</td>
+</tr>
+
+<tr class="action">
+<td><img class="icon" alt="add" src="images/add.png"></td><td><a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=67735";>67735</a></td><td>XWPF</td><td>Add
Complex scripts support in XWPFRun</td>
+</tr>
+
+<tr class="action">
+<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a
href="https://github.com/apache/poi/pull/505";>github-505</a></td><td>SL_Common</td><td>DrawTextFragment
height should include leading space</td>
+</tr>
+
+</tbody>
+</table>
+</div>
<a name="5.2.4"></a>
@@ -265,6 +320,10 @@ document.write("Last Published: " + docu
<tbody>
<tr class="action">
+<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=66598";>66598</a></td><td>XSSF</td><td>Fix
invalid loop-condition when cleaning up CTCells</td>
+</tr>
+
+<tr class="action">
<td><img class="icon" alt="fix" src="images/fix.png"></td><td><a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=47950";>47950</a></td><td>POI_Overall</td><td>make
stream/directory name lookup in OLE2 case insensitive</td>
</tr>
Modified: poi/site/publish/components/index.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/components/index.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/components/index.html (original)
+++ poi/site/publish/components/index.html Sun Oct 22 10:17:04 2023
@@ -614,11 +614,11 @@ document.write("Last Published: " + docu
<tr>
<td colspan="1" rowspan="1">poi</td>
- <td colspan="1" rowspan="1"><a
href="https://search.maven.org/#artifactdetails|org.apache.logging.log4j|log4j-api|2.20.0|jar">log4j
2.x</a>,
- <a
href="https://search.maven.org/#artifactdetails|commons-codec|commons-codec|1.15|jar">commons-codec</a>,
+ <td colspan="1" rowspan="1"><a
href="https://search.maven.org/#artifactdetails|org.apache.logging.log4j|log4j-api|2.21.0|jar">log4j
2.x</a>,
+ <a
href="https://search.maven.org/#artifactdetails|commons-codec|commons-codec|1.16.0|jar">commons-codec</a>,
<a
href="https://search.maven.org/#artifactdetails|org.apache.commons|commons-collections4|4.4|jar">commons-collections</a>,
<a
href="https://search.maven.org/#artifactdetails|org.apache.commons|commons-math3|3.6.1|jar">commons-math3</a>
- <a
href="https://search.maven.org/#artifactdetails|commons-io|commons-io|2.11.0|jar">commons-io</a>
+ <a
href="https://search.maven.org/#artifactdetails|commons-io|commons-io|2.14.0|jar">commons-io</a>
</td>
<td colspan="1" rowspan="1">poi-version-yyyymmdd.jar</td>
Modified: poi/site/publish/components/poi-jvm-languages.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/components/poi-jvm-languages.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/components/poi-jvm-languages.html (original)
+++ poi/site/publish/components/poi-jvm-languages.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="../encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="../security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="../casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/publish/components/poi-ruby.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/components/poi-ruby.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/components/poi-ruby.html (original)
+++ poi/site/publish/components/poi-ruby.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="../encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="../security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="../casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/publish/components/spreadsheet/diagram1.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/components/spreadsheet/diagram1.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/components/spreadsheet/diagram1.html (original)
+++ poi/site/publish/components/spreadsheet/diagram1.html Sun Oct 22 10:17:04
2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="../../encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="../../security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="../../casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/publish/download.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/download.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/download.html (original)
+++ poi/site/publish/download.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/publish/encryption.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/encryption.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/encryption.html (original)
+++ poi/site/publish/encryption.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<div class="menupagetitle">Encryption support</div>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
@@ -567,9 +570,9 @@ document.write("Last Published: " + docu
<li>BouncyCastle bcpkix, bcprov and bcutil (tested against 1.76)</li>
-<li>Apache Santuario "xmlsec" (tested against 3.0.2)</li>
+<li>Apache Santuario "xmlsec" (tested against 3.0.3)</li>
-<li>and slf4j-api (tested against 1.7.x)</li>
+<li>and slf4j-api (tested against 2.0.x)</li>
</ul>
<p>Depending on the <a
href="apidocs/dev/org/apache/poi/poifs/crypt/dsig/SignatureConfig.html">configuration</a>
Modified: poi/site/publish/index.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/publish/legal.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/legal.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/legal.html (original)
+++ poi/site/publish/legal.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/publish/linkmap.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/linkmap.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/linkmap.html (original)
+++ poi/site/publish/linkmap.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
@@ -469,6 +472,12 @@ document.write("Last Published: " + docu
</li>
</ul>
+<ul>
+<li>
+<a href="security.html">Secure
processing</a> ___________________ <em>encryption</em>
+</li>
+</ul>
+
<ul>
<li>
<a href="casestudies.html">Case
Studies</a> ___________________ <em>casestudies</em>
Modified: poi/site/publish/related-projects.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/related-projects.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/related-projects.html (original)
+++ poi/site/publish/related-projects.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menupage">
Added: poi/site/publish/security.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/security.html?rev=1913196&view=auto
==============================================================================
--- poi/site/publish/security.html (added)
+++ poi/site/publish/security.html Sun Oct 22 10:17:04 2023
@@ -0,0 +1,282 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<html>
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<meta content="Apache Forrest" name="Generator">
+<meta name="Forrest-version" content="0.9">
+<meta name="Forrest-skin-name" content="pelt">
+<title>Apache POI - Security guidance</title>
+<link type="text/css" href="skin/basic.css" rel="stylesheet">
+<link media="screen" type="text/css" href="skin/screen.css" rel="stylesheet">
+<link media="print" type="text/css" href="skin/print.css" rel="stylesheet">
+<link type="text/css" href="skin/profile.css" rel="stylesheet">
+<script src="skin/getBlank.js" language="javascript"
type="text/javascript"></script><script src="skin/getMenu.js"
language="javascript" type="text/javascript"></script><script
src="skin/fontsize.js" language="javascript" type="text/javascript"></script>
+<link rel="shortcut icon" href="images/favicon.ico">
+</head>
+<body onload="init()">
+<script type="text/javascript">ndeSetTextSize();</script>
+<div id="top">
+<!--+
+ |breadtrail
+ +-->
+<div class="breadtrail">
+<a href="https://www.apache.org";>Apache Software Foundation</a> > <a
href="https://poi.apache.org";>Apache POI</a><script src="skin/breadcrumbs.js"
language="JavaScript" type="text/javascript"></script>
+</div>
+<!--+
+ |header
+ +-->
+<div class="header">
+<!--+
+ |start group logo
+ +-->
+<div class="grouplogo">
+<a href="https://www.apache.org";><img class="logoImage" alt="Apache Software
Foundation" src="images/group-logo.png" title="The Apache Software Foundation
is a cornerstone of the modern Open Source software ecosystem –
supporting some of the most widely used and important software solutions
powering today's Internet economy."></a>
+</div>
+<!--+
+ |end group logo
+ +-->
+<!--+
+ |start Project Logo
+ +-->
+<div class="projectlogo">
+<a href="https://poi.apache.org";><img class="logoImage" alt="Apache POI"
src="images/project-header.png" title="Apache POI is well-known in the Java
field as a library for reading and writing Microsoft Office file formats, such
as Excel, PowerPoint, Word, Visio, Publisher and Outlook. It supports both the
older (OLE2) and new (OOXML - Office Open XML) formats."></a>
+</div>
+<!--+
+ |end Project Logo
+ +-->
+<!--+
+ |start Search
+ +-->
+<div class="searchbox">
+<form action="https://www.google.com/search"; method="get"
class="roundtopsmall">
+<input value="poi.apache.org" name="sitesearch" type="hidden"><input
onFocus="getBlank (this, 'Search the site with google');" size="25" name="q"
id="query" type="text" value="Search the site with google">
+ <input name="Search" value="Search" type="submit">
+</form>
+</div>
+<!--+
+ |end search
+ +-->
+<!--+
+ |start Tabs
+ +-->
+<ul id="tabs">
+<li class="current">
+<a class="selected" href="index.html">Home</a>
+</li>
+<li>
+<a class="unselected" href="help/index.html">Help</a>
+</li>
+<li>
+<a class="unselected" href="components/index.html">Component APIs</a>
+</li>
+<li>
+<a class="unselected" href="devel/index.html">Getting Involved</a>
+</li>
+</ul>
+<!--+
+ |end Tabs
+ +-->
+</div>
+</div>
+<div id="main">
+<div id="publishedStrip">
+<!--+
+ |start Subtabs
+ +-->
+<div id="level2tabs"></div>
+<!--+
+ |end Endtabs
+ +-->
+<script type="text/javascript"><!--
+document.write("Last Published: " + document.lastModified);
+// --></script>
+</div>
+<!--+
+ |breadtrail
+ +-->
+<div class="breadtrail">
+
+
+ </div>
+<!--+
+ |start Menu, mainarea
+ +-->
+<!--+
+ |start Menu
+ +-->
+<div id="menu">
+<div onclick="SwitchMenu('menu_selected_1.1', 'skin/')"
id="menu_selected_1.1Title" class="menutitle" style="background-image:
url('skin/images/chapter_open.gif');">Overview</div>
+<div id="menu_selected_1.1" class="selectedmenuitemgroup" style="display:
block;">
+<div class="menuitem">
+<a href="index.html">Home</a>
+</div>
+<div class="menuitem">
+<a href="download.html">Download</a>
+</div>
+<div class="menuitem">
+<a href="changes.html">Changelog</a>
+</div>
+<div class="menuitem">
+<a href="apidocs/index.html">Javadocs</a>
+</div>
+<div class="menuitem">
+<a href="text-extraction.html">Text Extraction</a>
+</div>
+<div class="menuitem">
+<a href="encryption.html">Encryption support</a>
+</div>
+<div class="menupage">
+<div class="menupagetitle">Secure processing</div>
+</div>
+<div class="menuitem">
+<a href="casestudies.html">Case Studies</a>
+</div>
+<div class="menuitem">
+<a href="related-projects.html">Related projects</a>
+</div>
+<div class="menuitem">
+<a href="legal.html">Legal</a>
+</div>
+</div>
+<div onclick="SwitchMenu('menu_1.2', 'skin/')" id="menu_1.2Title"
class="menutitle">Apache Wide</div>
+<div id="menu_1.2" class="menuitemgroup">
+<div class="menuitem">
+<a href="https://www.apache.org/";>Apache Software Foundation</a>
+</div>
+<div class="menuitem">
+<a href="https://www.apache.org/licenses/";>License</a>
+</div>
+<div class="menuitem">
+<a href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a>
+</div>
+<div class="menuitem">
+<a href="https://www.apache.org/foundation/thanks.html";>Thanks</a>
+</div>
+<div class="menuitem">
+<a href="https://www.apache.org/security/";>Security</a>
+</div>
+<div class="menuitem">
+<a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy</a>
+</div>
+</div>
+<div id="credit"></div>
+<div id="roundbottom">
+<img style="display: none" class="corner" height="15" width="15" alt=""
src="skin/images/rc-b-l-15-1body-2menu-3menu.png"></div>
+<!--+
+ |alternative credits
+ +-->
+<div id="credit2">
+<a href="https://donate.apache.org/";><img border="0" title="Support Apache"
alt="Support Apache - logo" src="images/support-asf.png" style="width:
125px;height: 125px;"></a><a
href="https://www.apache.org/foundation/press/kit/#poweredby";><img border="0"
title="powered by POI" alt="powered by POI - logo"
src="images/poweredby-poi-logo.png" style="width: 125px;height: 125px;"></a>
+</div>
+</div>
+<!--+
+ |end Menu
+ +-->
+<!--+
+ |start content
+ +-->
+<div id="content">
+<h1>Apache POI - Security guidance</h1>
+<div id="front-matter"></div>
+
+<a name="Overview"></a>
+<h2 class="boxed">Overview</h2>
+<div class="section">
+<p>This page provides some guidance about how Apache POI can be used in
security-sensible areas.</p>
+</div>
+
+
+<a name="Information+about+related+security+vulnerabilities"></a>
+<h2 class="boxed">Information about related security vulnerabilities</h2>
+<div class="section">
+<p>Information about security issues is included in the <a
href="index.html">Project News</a>.</p>
+</div>
+
+
+<a name="Reporting+security+vulnerabilities"></a>
+<h2 class="boxed">Reporting security vulnerabilities</h2>
+<div class="section">
+<p>Apache POI will try to fix security-related bugs with priority.</p>
+<p>Please follow the general <a href="https://www.apache.org/security/";>Apache
Security Guidelines</a>
+ for proper handling.</p>
+<p>But please note that by the nature of processing external files, you should
design your application
+ in a way which limits impact of malicious documents as much as
possible. The higher your security-related
+ requirements are, the more you likely need to invest in your
application to contain effects.
+ </p>
+</div>
+
+
+<a name="Architecting+your+Application"></a>
+<h2 class="boxed">Architecting your Application</h2>
+<div class="section">
+<p>If you are processing documents from an untrusted source, you should add a
number of safeguards to
+ your application to contain any unexpected side effects.</p>
+<p>Apache POI cannot fully protect against some documents causing impact on
the current process, therefore
+ we suggest the following additional layers of security.</p>
+<ul>
+
+<li>
+<strong>Expect any type of Exception when processing documents</strong>
+<br>
+ As parsing the various formats is very complex and involved,
there are some unexpected types of
+ exceptions which can be thrown. E.g. StackOverflow or many
different types of RuntimeException.
+ <br>
+ Make sure to have a broad catch-statement around your
document-parsing functionality and be prepared
+ to handle all those gracefully.
+ </li>
+
+<li>
+<strong>Expect long parsing time</strong>
+<br>
+ As parsing the various formats is very complex and involved,
some documents might cause prolonged CPU
+ usage and long parsing time.
+ <br>
+ If this is a concern, make sure to have a way to stop
processing after some time, maybe by the
+ sandboxing approach described below.
+ </li>
+
+<li>
+<strong>Consider sandboxing document-parsing</strong>
+<br>
+ If you operate in a highly sensitive enviornment and would
like to avoid any side effect from
+ parsing documents on your application, then consider
extracting the parsing logic into a separate
+ process which is configured with appropriate memory settings
and which you stop after some timeout.
+ <br>
+
+</li>
+
+</ul>
+</div>
+
+<p align="right">
+<font size="-2">by Dominik Stadler</font>
+</p>
+</div>
+<!--+
+ |end content
+ +-->
+<div class="clearboth"> </div>
+</div>
+<div id="footer">
+<!--+
+ |start bottomstrip
+ +-->
+<div class="lastmodified">
+<script type="text/javascript"><!--
+document.write("Last Published: " + document.lastModified);
+// --></script>
+</div>
+<div class="copyright">
+ Copyright ©
+ 2001-2023 <a href="https://www.apache.org/";>The Apache Software
Foundation</a>
+</div>
+<div id="feedback">
+ Send feedback about the website to:
+ <a id="feedbackto"
href="mailto:d...@poi.apache.org?subject=Feedback%C2%A0security.html";>d...@poi.apache.org</a>
+</div>
+<!--+
+ |end bottomstrip
+ +-->
+</div>
+</body>
+</html>
Modified: poi/site/publish/text-extraction.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/text-extraction.html?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/publish/text-extraction.html (original)
+++ poi/site/publish/text-extraction.html Sun Oct 22 10:17:04 2023
@@ -126,6 +126,9 @@ document.write("Last Published: " + docu
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
+<a href="security.html">Secure processing</a>
+</div>
+<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
Modified: poi/site/src/documentation/content/xdocs/changes.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/changes.xml?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/changes.xml (original)
+++ poi/site/src/documentation/content/xdocs/changes.xml Sun Oct 22 10:17:04
2023
@@ -99,6 +99,7 @@
<summary-item>Use jdk18on versions of bouncycastle jars
(v1.76)</summary-item>
</summary>
<actions>
+ <action type="fix" fixes-bug="66598" context="XSSF">Fix invalid
loop-condition when cleaning up CTCells</action>
<action type="fix" fixes-bug="47950" context="POI_Overall">make
stream/directory name lookup in OLE2 case insensitive</action>
<action type="fix" fixes-bug="66521" context="POI_Overall">Provide
a utility to clear all thread-locals to avoid reports of memory-leaks in
web-application containers</action>
<action type="fix" fixes-bug="66436" context="POI_Overall">Fix
handling padding when decrypting data</action>
Added: poi/site/src/documentation/content/xdocs/security.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/security.xml?rev=1913196&view=auto
==============================================================================
--- poi/site/src/documentation/content/xdocs/security.xml (added)
+++ poi/site/src/documentation/content/xdocs/security.xml Sun Oct 22 10:17:04
2023
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ====================================================================
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ====================================================================
+-->
+<!DOCTYPE document PUBLIC "-//APACHE//DTD Documentation V2.0//EN"
"document-v20.dtd">
+
+
+<document>
+ <header>
+ <title>Apache POI - Security guidance</title>
+ <authors>
+ <person id="centic" name="Dominik Stadler"
email="cen...@apache.org"/>
+ </authors>
+ </header>
+
+ <body>
+ <section>
+ <title>Overview</title>
+
+ <p>This page provides some guidance about how Apache POI can be used
in security-sensible areas.</p>
+ </section>
+
+ <section>
+ <title>Information about related security vulnerabilities</title>
+
+ <p>Information about security issues is included in the <a
href="index.html">Project News</a>.</p>
+ </section>
+
+ <section>
+ <title>Reporting security vulnerabilities</title>
+
+ <p>Apache POI will try to fix security-related bugs with priority.</p>
+
+ <p>Please follow the general <a
href="https://www.apache.org/security/";>Apache Security Guidelines</a>
+ for proper handling.</p>
+
+ <p>But please note that by the nature of processing external files,
you should design your application
+ in a way which limits impact of malicious documents as much as
possible. The higher your security-related
+ requirements are, the more you likely need to invest in your
application to contain effects.
+ </p>
+ </section>
+
+ <section>
+ <title>Architecting your Application</title>
+
+ <p>If you are processing documents from an untrusted source, you
should add a number of safeguards to
+ your application to contain any unexpected side effects.</p>
+
+ <p>Apache POI cannot fully protect against some documents causing
impact on the current process, therefore
+ we suggest the following additional layers of security.</p>
+
+ <ul>
+ <li><strong>Expect any type of Exception when processing
documents</strong><br/>
+ As parsing the various formats is very complex and involved,
there are some unexpected types of
+ exceptions which can be thrown. E.g. StackOverflow or many
different types of RuntimeException.
+ <br/>
+ Make sure to have a broad catch-statement around your
document-parsing functionality and be prepared
+ to handle all those gracefully.
+ </li>
+ <li><strong>Expect long parsing time</strong><br/>
+ As parsing the various formats is very complex and involved,
some documents might cause prolonged CPU
+ usage and long parsing time.
+ <br/>
+ If this is a concern, make sure to have a way to stop
processing after some time, maybe by the
+ sandboxing approach described below.
+ </li>
+ <li><strong>Consider sandboxing document-parsing</strong><br/>
+ If you operate in a highly sensitive enviornment and would
like to avoid any side effect from
+ parsing documents on your application, then consider
extracting the parsing logic into a separate
+ process which is configured with appropriate memory settings
and which you stop after some timeout.
+ <br />
+ </li>
+ </ul>
+ </section>
+ </body>
+
+ <footer>
+ <legal>
+ Copyright (c) @year@ The Apache Software Foundation. All rights
reserved.
+ <br />
+ Apache POI, POI, Apache, the Apache feather logo, and the Apache
+ POI project logo are trademarks of The Apache Software Foundation.
+ </legal>
+ </footer>
+</document>
Modified: poi/site/src/documentation/content/xdocs/site.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/site.xml?rev=1913196&r1=1913195&r2=1913196&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/site.xml (original)
+++ poi/site/src/documentation/content/xdocs/site.xml Sun Oct 22 10:17:04 2023
@@ -38,6 +38,7 @@ See https://xml.apache.org/forrest/linki
<javadocs label="Javadocs" href="apidocs/index.html"/>
<extraction label="Text Extraction" href="text-extraction.html"/>
<encryption label="Encryption support" href="encryption.html"/>
+ <encryption label="Secure processing" href="security.html"/>
<casestudies label="Case Studies" href="casestudies.html"/>
<related label="Related projects" href="related-projects.html"/>
<legal label="Legal" href="legal.html"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@poi.apache.org
For additional commands, e-mail: commits-h...@poi.apache.org
