Bug 51623 - AgileDecryptor cycles
Summary: AgileDecryptor cycles
Status: RESOLVED WORKSFORME
Alias: None
Product: POI
Classification: Unclassified
Component: POIFS (show other bugs)
Version: 3.8-dev
Hardware: PC All
: P2 trivial (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on: 55818
Blocks:
  Show dependency tree
 
Reported: 2011-08-05 12:49 UTC by Tom K.
Modified: 2014-04-21 16:18 UTC (History)
0 users



Attachments
file cannot be opened by POI (445.57 KB, application/vnd.ms-excel)
2012-05-08 16:34 UTC, Juri
Details
Code and xlsx file to reproduce (34.05 KB, application/x-zip-compressed)
2012-05-11 09:30 UTC, Tom K.
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tom K. 2011-08-05 12:49:23 UTC
org.apache.poi.poifs.crypt.AgileDecryptor.ChunkedCipherInputStream.read(byte[], int, int) does not finish if there are less bytes left in the stream than requested by 3rd method parameter. It should also return -1 if no bytes were read because of end of stream.
Comment 1 Yegor Kozlov 2012-02-29 11:33:05 UTC
(In reply to comment #0)
> org.apache.poi.poifs.crypt.AgileDecryptor.ChunkedCipherInputStream.read(byte[],
> int, int) does not finish if there are less bytes left in the stream than
> requested by 3rd method parameter. It should also return -1 if no bytes were
> read because of end of stream.

This situation can happen when there are padding bytes and the stream is *longer* than the actual data. Can you upload a test case that shows the problem: I can't reproduce the problem with my MS Office 2010.

As of r1293784, POI provides Decryptor#getLength() that returns length of the
decrypted data stream. You should change your code to read this length instead of reading to the end of the stream, it should always work.

Yegor
Comment 2 Juri 2012-05-08 16:34:23 UTC
Created attachment 28743 [details]
file cannot be opened by POI

I found some xls files cannot be opened with the POI methods. However Office and Openoffice can open them.
These files are publicated by a fantasy football site and I suppose that they are created intentionally in this way, in order to avoid that their data could be taken by competitor applications.
Is known it's possible to realize excel files in this way?

Thanks a lot
Comment 3 Tom K. 2012-05-11 09:21:04 UTC
Hi Yegor,

I've run into this when I tried just to save decrypted version of a file without actually examining its contents. When we've started to actually parse the file using other POI stuff, this bug never occurred.

I'll attach code to reproduce...
Comment 4 Tom K. 2012-05-11 09:30:09 UTC
Created attachment 28759 [details]
Code and xlsx file to reproduce

The testcase.zip file contains encrypted xlsx file and TestDecryptor class with main method which save decrypted content of a file in another file.

There's also FixedAgileDecryptor class which is slightly adjusted POI AgileDecryptor, but with the cycling fixed. I don't remember anymore what I've changed in there, but it were just few lines... (it's AgileDecryptor from 3.8 beta4)
Comment 5 Andreas Beeker 2014-04-21 16:18:16 UTC
In the ChunkedCipherInputStream.read method there was a fix as part of #55818 - so I assume this issue has been fixed there.

The first attachment (Voti_37a_SerieA.xls) is a html file, which can be handled by Libre Office and MS Excel (but not MS Excel Viewer), so it's not relevant for this bug report.

The second attachment can be successfully read with the attached TestDecryptor-code and the following code ... so this works-for-me ;)

NPOIFSFileSystem fs = new NPOIFSFileSystem(new File("encrypted.xlsx"));
EncryptionInfo info = new EncryptionInfo(fs);

Decryptor d = Decryptor.getInstance(info);

assertTrue(d.verifyPassword("aaa"));

InputStream is = d.getDataStream(fs);
XSSFWorkbook wb = new XSSFWorkbook(is);
is.close();

Iterator<Row> row = wb.getSheetAt(0).rowIterator();
while (row.hasNext()) {
    Cell c = row.next().getCell(0);
    if (c == null) continue;
    System.out.println(c.getStringCellValue());
}