H Dominik, I committed the suggested fix (to both poi and poi-ooxml):
http://svn.apache.org/r1618644 Please note: I raised the logging level on failure to "warning", because you make your XML parsing vulnerable to CVE-2014-3574 and CVE-2014-3529 ! POI 3.10.1 should have same issue, but its less severe there, because DocumentHelper is only used for Excel Import/Export in OOXML, not for openxml DOMs. Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] > -----Original Message----- > From: Dominik Stadler [mailto:[email protected]] > Sent: Monday, August 18, 2014 4:09 PM > To: POI Developers List > Subject: Re: [VOTE] Apache POI 3.11-beta2 release > > I agree that it the lib is outdated, but in my case it is pulled in by some > other > dependency down the tree, being a large project, it is hard to update the > Xerces dependency without causing more work to update other > dependencies that are not related to POI, thus making a simple update of > POI rather complicated. > > These tests ran fine with POI 3.10 and 3.11-beta1, so we are introducing this > incompatibility with -beta2. A fix is easy, just catch the AbstractMethodError > in that place the same way that we already catch Exception. > > So my vote is now 0, I do not vote against it, but think we should do this > change for 3.11 final. > > Dominik. > > > On Mon, Aug 18, 2014 at 3:03 PM, Uwe Schindler <[email protected]> wrote: > > Hi, > > > > this old Xerces version is not compliant to Java 6 as required as minimum > JVM. Since Java 1.4, the JDK requires setFeature() to be available. > > > > The problem you have is: Something is inserting an older version of xml- > apis.jar into the classpath or the lib/ext folder of your JDK, that breaks > java > 1.4+. > > > > This will also happen with the bug fix release 3.10.1. There is nothing we > can do; upgrade to newer XERCES, which is compliant to newer Java versions. > > > > Uwe > > > > ----- > > Uwe Schindler > > H.-H.-Meier-Allee 63, D-28213 Bremen > > http://www.thetaphi.de > > eMail: [email protected] > > > > > >> -----Original Message----- > >> From: Dominik Stadler [mailto:[email protected]] > >> Sent: Monday, August 18, 2014 2:52 PM > >> To: POI Developers List > >> Subject: Re: [VOTE] Apache POI 3.11-beta2 release > >> > >> Hi, > >> > >> I get the following, which looks like the change to remove dom4j is > >> not fully working yet for some versions of Xerces XML Parser: > >> > >> java.lang.AbstractMethodError: > >> > javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V > >> at > >> > org.apache.poi.util.DocumentHelper.trySetSAXFeature(DocumentHelper.ja > >> v > >> a:62) > >> at > org.apache.poi.util.DocumentHelper.<clinit>(DocumentHelper.java:56) > >> at > >> org.apache.poi.openxml4j.opc.internal.marshallers.ZipPartMarshaller.m > >> arsh > >> allRelationshipPart(ZipPartMarshaller.java:120) > >> at > >> org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:464) > >> at > >> org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1425) > >> at org.apache.poi.POIXMLDocument.write(POIXMLDocument.java:201) > >> at > >> com.xxx.diagnostics.report.excel.ExcelRenderer.reportDashboard(ExcelR > >> ep > >> ortRenderer.java:99) > >> at > >> com.xxx.diagnostics.report.excel.ExcelRendererTest.testReportDashboar > >> dW > >> ithTooManyTableRowsXLSX(ExcelReportRendererTest.java:2268) > >> > >> This is a larger set of tests with some POI-related tests, due to > >> other dependencies an older version of Xerces XML Parser is pulled: > >> > >> documentBuilderFactory is a > >> org.apache.xerces.jaxp.DocumentBuilderFactoryImpl and not a > >> javax.xml.parsers.DocumentBuilderFactory which is provided with Java > itself. > >> > >> Test-Case is simply: > >> > >> @Test > >> public void testCrash() throws IOException { > >> System.out.println("Java: " + > >> System.getProperty("java.version")); > >> > >> try (Workbook wb = new XSSFWorkbook()) { > >> FileOutputStream out = new FileOutputStream(new > >> File("C:\\temp\\test.xlsx")); > >> try { > >> wb.write(out); > >> } finally { > >> out.close(); > >> } > >> } > >> } > >> > >> > >> At least xerces-2.6.1 is not providing the "setFeature()" method, > >> xerces-2.11 and 2.9.1 seem to have it, I did not check intermediate > versions. > >> > >> I vote that we avoid this crash by either also catching the > >> AbstractMethodError or not calling that method on older versions of > >> Xerces that do not yet have "setFeature". Customers will run POI in > >> all sorts of environments and thus it is likely that older versions > >> of Xerces are still present in a number of them. > >> > >> Thus -1 from me unless it can be explained as being a local problem > >> in my environment. > >> > >> Dominik. > >> > >> On Sun, Aug 17, 2014 at 11:45 PM, Andreas Beeker > >> <[email protected]> wrote: > >> > +1 from my side > >> > > >> > > >> > ------------------------------------------------------------------- > >> > -- To unsubscribe, e-mail: [email protected] For > >> > additional commands, e-mail: [email protected] > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] For additional > >> commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] For additional > > commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
