https://issues.apache.org/bugzilla/show_bug.cgi?id=54764
--- Comment #3 from Phil Persad <[email protected]> --- After looking into the issue more closely (while trying to safely parse docx files), I found that the openxml4j code does not pre-parse as many of the various .xml files in a .docx as they do in a .xlsx. As a result, even if openxml4j is parsing securely, an xml bomb can still sneak past un-parsed and blow up in the XWPFDocument construction. In the end a simpler solution was to implement pre-parsing of all the xml documents in the docx zip stream with a securely configured parser in the calling application. I'm not too thrilled with the performance implications, but a node failing due to a bad XML file in an openXML doc is the worst case and worth the performance hit to avoid. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
