| Summary: | WildFly XML parser not properly supported - Property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not recognized | ||
|---|---|---|---|
| Product: | POI | Reporter: | rniestroj |
| Component: | OPC | Assignee: | POI Developers List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | regression | ||
| Priority: | P2 | ||
| Version: | 4.0.0-FINAL | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | |||
| Bug Blocks: | 62805, 62943 | ||
fix added using https://svn.apache.org/viewvc?view=revision&revision=1840304 There are a few more isses, I just adjusted the CI build at https://builds.apache.org/view/P/view/POI/job/POI-DSL-old-Xerces/96/console to really run with Xerces and now a few more unit tests fail: 1) testXMLReader(org.apache.poi.ooxml.util.TestSAXHelper) [java] org.xml.sax.SAXNotRecognizedException: http://javax.xml.XMLConstants/feature/secure-processing [java] at org.apache.xerces.parsers.AbstractSAXParser.getFeature(Unknown Source) [java] at org.apache.poi.ooxml.util.TestSAXHelper.testXMLReader(TestSAXHelper.java:34) [java] 2) testDocumentBuilderFactory(org.apache.poi.ooxml.util.TestDocumentHelper) [java] java.lang.AbstractMethodError: javax.xml.parsers.DocumentBuilderFactory.getFeature(Ljava/lang/String;)Z [java] at org.apache.poi.ooxml.util.TestDocumentHelper.testDocumentBuilderFactory(TestDocumentHelper.java:40) [java] 3) testBuiltinStyleInit(org.apache.poi.xssf.usermodel.TestTableStyles) [java] java.lang.AbstractMethodError: org.apache.xml.serialize.DOMSerializerImpl.getDomConfig()Lorg/w3c/dom/DOMConfiguration; [java] at org.apache.poi.xssf.usermodel.XSSFBuiltinTableStyle.styleXML(XSSFBuiltinTableStyle.java:424) [java] at org.apache.poi.xssf.usermodel.XSSFBuiltinTableStyle.init(XSSFBuiltinTableStyle.java:406) [java] at org.apache.poi.xssf.usermodel.XSSFBuiltinTableStyle.getStyle(XSSFBuiltinTableStyle.java:346) [java] at org.apache.poi.xssf.usermodel.TestTableStyles.testBuiltinStyleInit(TestTableStyles.java:45) [java] 4) zipBombCheckSizesWithinLimits(org.apache.poi.openxml4j.opc.TestPackage) [java] org.apache.poi.ooxml.POIXMLException: Zip bomb detected! The file would exceed the max size of the expanded data in the zip-file. [java] This may indicates that the file is used to inflate memory usage and thus could pose a security risk. [java] You can adjust this limit via ZipSecureFile.setMaxEntrySize() if you need to work with files which are very large. [java] Uncompressed size: 1048807, Raw/compressed size: 57587 [java] Limits: MAX_ENTRY_SIZE: 1048783, Entry: xl/sharedStrings.xml [java] at org.apache.poi.ooxml.POIXMLFactory.createDocumentPart(POIXMLFactory.java:66) [java] at org.apache.poi.ooxml.POIXMLDocumentPart.read(POIXMLDocumentPart.java:648) [java] at org.apache.poi.ooxml.POIXMLDocument.load(POIXMLDocument.java:180) [java] at org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>(XSSFWorkbook.java:286) [java] at org.apache.poi.xssf.usermodel.XSSFWorkbookFactory.createWorkbook(XSSFWorkbookFactory.java:83) [java] at org.apache.poi.xssf.usermodel.XSSFWorkbookFactory.createWorkbook(XSSFWorkbookFactory.java:111) rniestroj@go2.pl, I thing you might still include xerces or some other XML Parser in your project, can you post the output of "mvn dependency:tree" here? ah, never mind, I just saw the title of the issue... Adding xerces as a direct dependecy as suggested by PJ Fanning helped. Is this a bug in POI or is my setup wrong? Ideally users will use up to date XML parsers because there are numerous security issues in the older versions of the parsers. The POI team are still trying to support older parsers though. Opened https://bz.apache.org/bugzilla/show_bug.cgi?id=62805 for the remaining old-xerces build issues |
After updating Apache POI from 3.17 to 4.0.0 i'm getting on line: `OPCPackage pck = OPCPackage.open(this.getTemplate());` an exception: java.lang.IllegalArgumentException: Property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not recognized. at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(DocumentBuilderFactoryImpl.java:144) at __redirected.__DocumentBuilderFactory.setAttribute(__DocumentBuilderFactory.java:125) at org.apache.poi.ooxml.util.DocumentHelper.trySetXercesSecurityManager(DocumentHelper.java:143) at org.apache.poi.ooxml.util.DocumentHelper.<clinit>(DocumentHelper.java:108) at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.parseContentTypesFile(ContentTypeManager.java:392) at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.<init>(ContentTypeManager.java:104) at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.<init>(ZipContentTypeManager.java:54) at org.apache.poi.openxml4j.opc.ZipPackage.getPartsImpl(ZipPackage.java:258) at org.apache.poi.openxml4j.opc.OPCPackage.getParts(OPCPackage.java:725) at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:275) at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:181) They say in https://stackoverflow.com/questions/25453042/how-to-disable-accessexternaldtd-and-entityexpansionlimit-warnings-with-logback that i should exclude xerces, but i had this already: <dependency> <groupId>org.apache.poi</groupId> <artifactId>poi</artifactId> <version>4.0.0</version> </dependency> <dependency> <groupId>org.apache.poi</groupId> <artifactId>poi-ooxml</artifactId> <version>4.0.0</version> <exclusions> <exclusion> <groupId>xml-apis</groupId> <artifactId>xml-apis</artifactId> </exclusion> <exclusion> <groupId>xerces</groupId> <artifactId>xercesImpl</artifactId> </exclusion> </exclusions> </dependency> My setup: - JDK 8 - WildFly 14 Going back to 3.17 fixes the issue. Posted also on https://stackoverflow.com/questions/52218278/after-update-apache-poi-4-0-property-http-www-oracle-com-xml-jaxp-propertie