Bug 62692 - WildFly XML parser not properly supported - Property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not recognized
Summary: WildFly XML parser not properly supported - Property 'http://www.oracle.com/x...
Status: RESOLVED FIXED
Alias: None
Product: POI
Classification: Unclassified
Component: OPC (show other bugs)
Version: 4.0.0-FINAL
Hardware: All All
: P2 regression (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks: 62943 62805
  Show dependency tree
 
Reported: 2018-09-07 13:13 UTC by rniestroj
Modified: 2018-11-25 21:11 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description rniestroj 2018-09-07 13:13:42 UTC
After updating Apache POI from 3.17 to 4.0.0 i'm getting on line:

`OPCPackage pck = OPCPackage.open(this.getTemplate());`

an exception:

    java.lang.IllegalArgumentException: Property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not recognized.
         at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(DocumentBuilderFactoryImpl.java:144)
         at __redirected.__DocumentBuilderFactory.setAttribute(__DocumentBuilderFactory.java:125)
         at org.apache.poi.ooxml.util.DocumentHelper.trySetXercesSecurityManager(DocumentHelper.java:143)
         at org.apache.poi.ooxml.util.DocumentHelper.<clinit>(DocumentHelper.java:108)
         at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.parseContentTypesFile(ContentTypeManager.java:392)
         at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.<init>(ContentTypeManager.java:104)
         at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.<init>(ZipContentTypeManager.java:54)
         at org.apache.poi.openxml4j.opc.ZipPackage.getPartsImpl(ZipPackage.java:258)
         at org.apache.poi.openxml4j.opc.OPCPackage.getParts(OPCPackage.java:725)
         at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:275)
         at org.apache.poi.openxml4j.opc.OPCPackage.open(OPCPackage.java:181)

They say in https://stackoverflow.com/questions/25453042/how-to-disable-accessexternaldtd-and-entityexpansionlimit-warnings-with-logback that i should exclude xerces, but i had this already:

      <dependency>
         <groupId>org.apache.poi</groupId>
         <artifactId>poi</artifactId>
         <version>4.0.0</version>
      </dependency>
      <dependency>
         <groupId>org.apache.poi</groupId>
         <artifactId>poi-ooxml</artifactId>
         <version>4.0.0</version>
         <exclusions>
            <exclusion>
               <groupId>xml-apis</groupId>
               <artifactId>xml-apis</artifactId>
            </exclusion>
            <exclusion>
               <groupId>xerces</groupId>
               <artifactId>xercesImpl</artifactId>
            </exclusion>
         </exclusions>
      </dependency>

My setup: 

 - JDK 8 
 - WildFly 14

Going back to 3.17 fixes the issue. 

Posted also on https://stackoverflow.com/questions/52218278/after-update-apache-poi-4-0-property-http-www-oracle-com-xml-jaxp-propertie
Comment 1 PJ Fanning 2018-09-07 14:58:57 UTC
fix added using https://svn.apache.org/viewvc?view=revision&revision=1840304
Comment 2 Dominik Stadler 2018-09-07 21:01:56 UTC
There are a few more isses, I just adjusted the CI build at https://builds.apache.org/view/P/view/POI/job/POI-DSL-old-Xerces/96/console to really run with Xerces and now a few more unit tests fail:

1) testXMLReader(org.apache.poi.ooxml.util.TestSAXHelper)
     [java] org.xml.sax.SAXNotRecognizedException: http://javax.xml.XMLConstants/feature/secure-processing
     [java] 	at org.apache.xerces.parsers.AbstractSAXParser.getFeature(Unknown Source)
     [java] 	at org.apache.poi.ooxml.util.TestSAXHelper.testXMLReader(TestSAXHelper.java:34)

 [java] 2) testDocumentBuilderFactory(org.apache.poi.ooxml.util.TestDocumentHelper)
     [java] java.lang.AbstractMethodError: javax.xml.parsers.DocumentBuilderFactory.getFeature(Ljava/lang/String;)Z
     [java] 	at org.apache.poi.ooxml.util.TestDocumentHelper.testDocumentBuilderFactory(TestDocumentHelper.java:40)

[java] 3) testBuiltinStyleInit(org.apache.poi.xssf.usermodel.TestTableStyles)
     [java] java.lang.AbstractMethodError: org.apache.xml.serialize.DOMSerializerImpl.getDomConfig()Lorg/w3c/dom/DOMConfiguration;
     [java] 	at org.apache.poi.xssf.usermodel.XSSFBuiltinTableStyle.styleXML(XSSFBuiltinTableStyle.java:424)
     [java] 	at org.apache.poi.xssf.usermodel.XSSFBuiltinTableStyle.init(XSSFBuiltinTableStyle.java:406)
     [java] 	at org.apache.poi.xssf.usermodel.XSSFBuiltinTableStyle.getStyle(XSSFBuiltinTableStyle.java:346)
     [java] 	at org.apache.poi.xssf.usermodel.TestTableStyles.testBuiltinStyleInit(TestTableStyles.java:45)


[java] 4) zipBombCheckSizesWithinLimits(org.apache.poi.openxml4j.opc.TestPackage)
     [java] org.apache.poi.ooxml.POIXMLException: Zip bomb detected! The file would exceed the max size of the expanded data in the zip-file.
     [java] This may indicates that the file is used to inflate memory usage and thus could pose a security risk.
     [java] You can adjust this limit via ZipSecureFile.setMaxEntrySize() if you need to work with files which are very large.
     [java] Uncompressed size: 1048807, Raw/compressed size: 57587
     [java] Limits: MAX_ENTRY_SIZE: 1048783, Entry: xl/sharedStrings.xml
     [java] 	at org.apache.poi.ooxml.POIXMLFactory.createDocumentPart(POIXMLFactory.java:66)
     [java] 	at org.apache.poi.ooxml.POIXMLDocumentPart.read(POIXMLDocumentPart.java:648)
     [java] 	at org.apache.poi.ooxml.POIXMLDocument.load(POIXMLDocument.java:180)
     [java] 	at org.apache.poi.xssf.usermodel.XSSFWorkbook.<init>(XSSFWorkbook.java:286)
     [java] 	at org.apache.poi.xssf.usermodel.XSSFWorkbookFactory.createWorkbook(XSSFWorkbookFactory.java:83)
     [java] 	at org.apache.poi.xssf.usermodel.XSSFWorkbookFactory.createWorkbook(XSSFWorkbookFactory.java:111)
Comment 3 Dominik Stadler 2018-09-07 21:03:23 UTC
rniestroj@go2.pl, I thing you might still include xerces or some other XML Parser in your project, can you post the output of "mvn dependency:tree" here?
Comment 4 Dominik Stadler 2018-09-07 21:04:10 UTC
ah, never mind, I just saw the title of the issue...
Comment 5 rniestroj 2018-09-08 16:27:29 UTC
Adding xerces as a direct dependecy as suggested by PJ Fanning helped. Is this a bug in POI or is my setup wrong?
Comment 6 PJ Fanning 2018-09-08 17:27:28 UTC
Ideally users will use up to date XML parsers because there are numerous security issues in the older versions of the parsers.
The POI team are still trying to support older parsers though.
Comment 7 PJ Fanning 2018-10-05 18:39:04 UTC
Opened https://bz.apache.org/bugzilla/show_bug.cgi?id=62805 for the remaining old-xerces build issues