Summary: | multiple warning log about accessExternalSchema | ||
---|---|---|---|
Product: | POI | Reporter: | neo.wcng |
Component: | SXSSF | Assignee: | POI Developers List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cody.lerum, fabio.heer |
Priority: | P2 | ||
Version: | 5.0.0-FINAL | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
neo.wcng
2021-05-24 16:01:35 UTC
this is benign - I've tried to relax the code so the logging won't happen (after v5.1.0 is released) - r1894032 I'm receiving this message still in 5.1.0 running JDK 17. Did the change to remove the logging make it in to 5.1.0? It does seem to raise every 5 minutes is this something that everyone is going to need to mute in their logging configuration? 2021-11-16 17:12:54,452 WARN [org.apache.poi.util.XMLHelper] (default task-402) SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalDTD: java.lang.IllegalArgumentException: TransformerFactory does not recognise attribute 'http://javax.xml.XMLConstants/property/accessExternalDTD'. at org.apache.xalan//org.apache.xalan.xsltc.trax.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:373) at __redirected.__TransformerFactory.setAttribute(__TransformerFactory.java:119) at deployment.ROOT.war//org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) at deployment.ROOT.war//org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:224) at deployment.ROOT.war//org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:231) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:68) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:450) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) at deployment.ROOT.war//org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) Cody, your stacktrace seems to indicate that you are not using poi-5.1.0.jar - that you are using an older jar. XMLHelper line 224 does not set accessExternalSchema param in latest code. https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/util/XMLHelper.java#L224 If the logging upsets you, can't you change your log configuration so the XMLHelper does not emit info level logs? PJ, Everything looks like I'm using 5.1.0 but I'm not able to easily verify the sources or debug it as https://repo1.maven.org/maven2/org/apache/poi/poi/5.1.0/poi-5.1.0-sources.jar is returning a 404 I can update the logging in my application server to only show ERROR level or higher for org.apache.poi.util.XMLHelper as it logs as a warn level in a wildfly application server. Unfortunately it still is a 404 for me, but I suspect that is a cloudfront cache issue based on the headers. I see the issue in an Springboot 2.6, Java Java 1.8.0_312 based application. I don't see the warning using POI 5.0.0. org.apache.poi.util.XMLHelper : SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalDTD java.lang.IllegalArgumentException: Nicht unterstützt: http://javax.xml.XMLConstants/property/accessExternalDTD at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571) ~[xalan-2.7.2.jar:na] at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) [poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:224) [poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:231) [poi-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:68) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:450) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) [poi-ooxml-5.1.0.jar:5.1.0] at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:111) ~[spring-webmvc-5.3.13.jar:5.3.13] at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:98) ~[spring-webmvc-5.3.13.jar:5.3.13] at org.springframework.web.context.request.async.WebAsyncManager.lambda$startCallableProcessing$4(WebAsyncManager.java:337) ~[spring-web-5.3.13.jar:5.3.13] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_312] at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_312] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_312] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_312] at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_312] This issue is not about accessExternalDTD - it is about accessExternalSchema - a different property - closing Would like to reopen this issue as there are still warnings for accessExternalSchema - from XMLHelper.getDocumentBuilderFactory(): 2021-11-24 16:09:55,799 WARN [pool-4-thread-1] (XMLHelper.java:307) - SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalSchema java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized. at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source) ~[xerces_impl-2.12.1b.jar:?] at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) ~[poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.getDocumentBuilderFactory(XMLHelper.java:114) ~[poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.<clinit>(XMLHelper.java:85) ~[poi-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.util.DocumentHelper.newDocumentBuilder(DocumentHelper.java:47) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.util.DocumentHelper.<clinit>(DocumentHelper.java:36) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:429) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.xssf.streaming.SXSSFWorkbook.write(SXSSFWorkbook.java:963) ~[poi-ooxml-5.1.0.jar:5.1.0] This is with external Xerces library. Forcing POI to use the internal Xerces implementation from Java runtime yields no warnings. We're now forcing the internal implementations of Xerces and Xalan to be used with POI to get rid of the warnings. Maybe POI could use them directly instead of relying on what the runtime offers as default? POI uses JAXP API - it users' responsibility to configure their JVM to use the best parsers/transformers Using a parser/transformer that causes logging like this means that users are using sub-optimal implementations and expose themselves to security issues I had a look at the XMLHelper and its code that logs issues at most once every 5 minutes may not be ideal. The code doesn't differentiate between events. If we log one event, then we don't log any for next 5 mins. Maybe it would be better to log once the event once and remember what we logged so we don't log it again? This would use up some memory - keeping track of all the messages we've already logged but if we're careful with the implementation, we may not use up too much. I favour not removing logging because I think it is useful to warn users that their parser implementation does not support all the security settings. added r1897568 |