Bug 59743 - [PATCH] ZipSecureFile throwing "zip bomb detected" exception when writing SXSSFWorkbook
Summary: [PATCH] ZipSecureFile throwing "zip bomb detected" exception when writing SXS...
Alias: None
Product: POI
Classification: Unclassified
Component: SXSSF (show other bugs)
Version: 3.15-dev
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Keywords: PatchAvailable
Depends on: 58499
  Show dependency tree
Reported: 2016-06-22 19:22 UTC by Axel Howind
Modified: 2016-06-23 00:26 UTC (History)
0 users

Do not use ZipSecureFile in injectData() (790 bytes, patch)
2016-06-22 19:23 UTC, Axel Howind
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Axel Howind 2016-06-22 19:22:07 UTC
When writing large Excel files with repeating data using the SXSSF implementation, calling SXSSFWorkbook.write() results in  ZipSecureFile throwing "zip bomb detected" exception. This check should only be carried out when reading workbooks.

This is triggered by reading back in the temporary data that POI itself wrote to the disk when the workbook was created.

To avoid the exception being thrown, the ZipFile class should be used directly when reading the temporary file back in.
Comment 1 Axel Howind 2016-06-22 19:23:51 UTC
Created attachment 33974 [details]
Do not use ZipSecureFile in injectData()
Comment 2 Javen O'Neal 2016-06-22 19:42:12 UTC
See related discussion on dev mailing list: http://apache-poi.1045710.n5.nabble.com/Bug-58499-ZipSecureFile-throws-zip-bomb-detected-td5723580.html
Comment 3 Andreas Beeker 2016-06-23 00:26:17 UTC
Thank you for your patch - applied with a test case via r1749799

As far as I can see, this only happens when shared strings are enabled,
because otherwise the uncompressed or gzip-ed data of the sheetXXX.xmls is copied directly, i.e. without using the ZipSecureFile