[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #11 from PJ Fanning  ---
Hi Javen,
I can look at putting together some doc and related sample code.
Could take a few days.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #10 from Javen O'Neal  ---
Would you be interested in writing a few sentences to add to the Encryption
documentation https://poi.apache.org/encryption.html

The documentation source lives here:
https://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/encryption.xml?view=log

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

Javen O'Neal  changed:

   What|Removed |Added

 Status|NEEDINFO|RESOLVED
 Resolution|--- |FIXED

--- Comment #9 from Javen O'Neal  ---
Thanks for the prompt patches! Applied in r1763969.

If you have any other unit tests you would like to add, please reopen this bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

Javen O'Neal  changed:

   What|Removed |Added

  Attachment #34346|0   |1
   is patch||

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #8 from PJ Fanning  ---
Created attachment 34346
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34346=edit
Extra test cases for encrypted temp data

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #7 from PJ Fanning  ---
(In reply to Javen O'Neal from comment #6)
> 3. Can you write a unit test that demonstrates that temporary files created
> by SXSSFWorkbook are encrypted?

Thanks Javen. I can look at the 3 topics you highlighted and I can attach a new
patch file over the coming days.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #6 from Javen O'Neal  ---
3. Can you write a unit test that demonstrates that temporary files created by
SXSSFWorkbook are encrypted?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

Javen O'Neal  changed:

   What|Removed |Added

  Attachment #34284|0   |1
is obsolete||
  Attachment #34284|0   |1
   is patch||

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

Javen O'Neal  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #5 from Javen O'Neal  ---
I am assuming a lazy consensus that there are no security issues with this
implementation. Most of the crypto code has been around in TestSecureTempZip
for a while anyway. This patch just makes that code available to developers by
moving it into the main library.

I applied your patch from comment 4 with a one minor change in r1763943.
1. provide protected or public accessor methods rather than elevating
visibility of private variables. This gives us more freedom in the future to
consolidate code between HSSF, XSSF, and SXSSF.

Remaining questions:

1. In AesZipFileZipEntrySource, should the close method do nothing if the
object has already been closed (guard the code with an if (closed)?
2. TestSecureTempZip demonstrates how to read an AES-encrypted XSSFWorkbook and
TestSXSSFWorkbookWithCustomZipEntrySource demonstrates how to write an
SXSSFWorkbook using encrypted temporary files, but we don't have an example for
writing an SXSSFWorkbook where both temporary files and the saved workbook are
AES-encrypted. Would you be willing to provide a code example or unit test for
this?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

Javen O'Neal  changed:

   What|Removed |Added

  Attachment #34286|0   |1
   is patch||
  Attachment #34286|application/mbox|text/plain
  mime type||

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #4 from PJ Fanning  ---
Created attachment 34286
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34286=edit
[PATCH] open up SXSSF classes so that they can be subclassed

updated patch based on Javen's commit and tidied up some issues

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

--- Comment #3 from Javen O'Neal  ---
The patch from comment 2 looks good to me, including the relevant unit tests :)
I committed SXSSFWorkbook#flushSheets() to get the ball rolling in r1761668.

Can someone else review this patch to make sure this implementation doesn't
write unencrypted data to disk and is unlikely to be the source of a security
vulnerability?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 60153] [PATCH] Use ZipEntrySource in SXSSF module

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60153

PJ Fanning  changed:

   What|Removed |Added

Summary|Use ZipEntrySource in SXSSF |[PATCH] Use ZipEntrySource
   |module  |in SXSSF module

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org