Bug 59743 - [PATCH] ZipSecureFile throwing "zip bomb detected" exception when writing SXSSFWorkbook
Summary: [PATCH] ZipSecureFile throwing "zip bomb detected" exception when writing SXS...
Status: RESOLVED FIXED
Alias: None
Product: POI
Classification: Unclassified
Component: SXSSF (show other bugs)
Version: 3.15-dev
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords: PatchAvailable
Depends on: 58499
Blocks:
  Show dependency tree
 
Reported: 2016-06-22 19:22 UTC by Axel Howind
Modified: 2016-06-23 00:26 UTC (History)
0 users



Attachments
Do not use ZipSecureFile in injectData() (790 bytes, patch)
2016-06-22 19:23 UTC, Axel Howind
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Axel Howind 2016-06-22 19:22:07 UTC
When writing large Excel files with repeating data using the SXSSF implementation, calling SXSSFWorkbook.write() results in  ZipSecureFile throwing "zip bomb detected" exception. This check should only be carried out when reading workbooks.

This is triggered by reading back in the temporary data that POI itself wrote to the disk when the workbook was created.

To avoid the exception being thrown, the ZipFile class should be used directly when reading the temporary file back in.
Comment 1 Axel Howind 2016-06-22 19:23:51 UTC
Created attachment 33974 [details]
Do not use ZipSecureFile in injectData()
Comment 2 Javen O'Neal 2016-06-22 19:42:12 UTC
See related discussion on dev mailing list: http://apache-poi.1045710.n5.nabble.com/Bug-58499-ZipSecureFile-throws-zip-bomb-detected-td5723580.html
Comment 3 Andreas Beeker 2016-06-23 00:26:17 UTC
Thank you for your patch - applied with a test case via r1749799

As far as I can see, this only happens when shared strings are enabled,
because otherwise the uncompressed or gzip-ed data of the sheetXXX.xmls is copied directly, i.e. without using the ZipSecureFile