kelemen opened a new pull request, #823: URL: https://github.com/apache/poi/pull/823
As is now, we can only set a global `TempFileCreationStrategy` which assumes that all documents within the same process has the same security profile (and quota) which may or may not be the case. Currently it is not possible to workaround this limitation in a multithreaded application. This PR intends to fix this issue by allowing to set a `TempFileCreationStrategy` for `SXSSFWorkbook` and `ZipPackage` instances. Implementation notes: - I have not deleted the `BinaryRC4Encryptor.BinaryRC4CipherOutputStream(DirectoryNode)` constructor because it is protected and in theory might be used (though given that other implementations have the counterparts of this class private, I'm guessing this visibility is unintended). - When adjusting the `OPCPackage.open` methods (to avoid duplicating logic), I'm relying on a new `OPCPackageOpener` class. However, strictly speaking my implementation is not 100% backward compatible (can be adjusted of course if needed), because the new `OPCPackageOpener` immediately throws NPE when it receives null `PackageAccess` or `OPCComplianceFlags`, while the original implementation does not. Rather, the original implementation will simply store the nulls, and will (likely) throw an exception on first use. Should I adjust my changes to be 100% backward compatible, or is this an acceptable risk for this project? - Not directly related to this PR, but while making the adjustments, I have noticed that `DefaultTempFileCreationStrategy` is buggy (at least I doubt its behavior is intended): When it detects that the temporary directory does not exist, then it will reset the directory to what is in `java.io.tmpdir` even if a different directory was specified in the constructor. I'm mentioning this only, because this issue can be a security risk (if someone changed the tmp dir due to security reasons), and this PR might make this issue more visible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
