Bug 59743

Summary: [PATCH] ZipSecureFile throwing "zip bomb detected" exception when writing SXSSFWorkbook
Product: POI Reporter: Axel Howind <axel>
Component: SXSSFAssignee: POI Developers List <dev>
Severity: normal Keywords: PatchAvailable
Priority: P2    
Version: 3.15-dev   
Target Milestone: ---   
Hardware: All   
OS: All   
Bug Depends on: 58499    
Bug Blocks:    
Attachments: Do not use ZipSecureFile in injectData()

Description Axel Howind 2016-06-22 19:22:07 UTC
When writing large Excel files with repeating data using the SXSSF implementation, calling SXSSFWorkbook.write() results in  ZipSecureFile throwing "zip bomb detected" exception. This check should only be carried out when reading workbooks.

This is triggered by reading back in the temporary data that POI itself wrote to the disk when the workbook was created.

To avoid the exception being thrown, the ZipFile class should be used directly when reading the temporary file back in.
Comment 1 Axel Howind 2016-06-22 19:23:51 UTC
Created attachment 33974 [details]
Do not use ZipSecureFile in injectData()
Comment 2 Javen O'Neal 2016-06-22 19:42:12 UTC
See related discussion on dev mailing list: http://apache-poi.1045710.n5.nabble.com/Bug-58499-ZipSecureFile-throws-zip-bomb-detected-td5723580.html
Comment 3 Andreas Beeker 2016-06-23 00:26:17 UTC
Thank you for your patch - applied with a test case via r1749799

As far as I can see, this only happens when shared strings are enabled,
because otherwise the uncompressed or gzip-ed data of the sheetXXX.xmls is copied directly, i.e. without using the ZipSecureFile