https://bz.apache.org/bugzilla/show_bug.cgi?id=58617
Bug ID: 58617
Summary: Add custom safe XmlBeans type loader / rename vendor
specific schema packages
Product: POI
Version: 3.14-dev
Hardware: All
OS: All
Status: NEW
Keywords: PatchAvailable
Severity: normal
Priority: P2
Component: POI Overall
Assignee: [email protected]
Reporter: [email protected]
Currently the XmlBeans Factory methods allow parsing of raw data without safe
limits, i.e. with XmlOption element.
To prevent future usage without the XmlOption element (as I temporarily did
...), I thought about adding a forbidden-apis check [1],
but this is currently not possible.
So instead I've modified the ooxml-schema sources to point to a custom wrapper
[2].
I don't think, someone uses the ooxml-schemas without POI, but in this rare
case they would need to copy&paste [2] into their classes.
Apart of the wrapper, I've added an XsdConfig for the vendor specific schema
extension.
The former package name was something like schemasMicrosoftComVml or
schemasMicrosoftComOfficeOffice, ...
now they are called com.microsoft.schemas.vml or
com.microsoft.schemas.office.office, ...
this goes better along the other similar named packages for Visio or
encryption/signing.
There are only very few places in the code which reference VML stuff and
therefore user code shouldn't be affected much.
If no-one objects until 22.11.15, I'll apply that patch.
Andi.
[1] https://github.com/policeman-tools/forbidden-apis/issues/88
[2] org.apache.poi.POIXMLTypeLoader
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
