66115 – Some Password protected XLS files are not read

Bug 66115 - Some Password protected XLS files are not read

Summary: Some Password protected XLS files are not read

Status:	RESOLVED FIXED

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	HSSF (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-13 08:18 UTC by ansh.sahajpal
Modified:	2022-06-16 22:59 UTC (History)
CC List:	1 user (show)

Attachments
The file causing the issue, password is adeptia (19.00 KB, application/vnd.ms-excel) 2022-06-13 08:18 UTC, ansh.sahajpal	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ansh.sahajpal 2022-06-13 08:18:34 UTC

Created attachment 38314 [details]
The file causing the issue, password is adeptia

I have found an issue with HSSF and BIFF8 component to read password protected xls files. The issue is similar to the following issue id: https://bz.apache.org/bugzilla/show_bug.cgi?id=51815

I have gone through the issue and can confirm that i have the exact same error. However, I cannot see if the issue was fixed or not or any workaround.
I created a dummy xls file following some atypical steps mentioned below:

1. Right click anywhere on desktop.
2. Go to new-> XLSX document 
3. Open the XLSX document in WPS Office.
4. Add any data in the document.
5. Save the file in xls format via WPS Office
6. Add password protection to the file ( any password ).
7. Try to load the file in HSSFWorkBook after setting password in BIFF8EncryptionKey


I have created many files by following above steps, and I am only able to replicate the issue with few files. So, few of the files created with the exact same steps works fine however, few of the files do not.
I have attached the file with which I am able to replicate the issue.

We are using POI version 4.1.1.

Comment 1 ansh.sahajpal 2022-06-13 08:31:45 UTC

Code snippet used to read the file:

Biff8EncryptionKey.setCurrentUserPassword(null);
Biff8EncryptionKey.setCurrentUserPassword(password);
try {
	workbook = new HSSFWorkbook((InputStream) inputStream);
} catch (IOException e1) {
	throw e1;
} finally {
	Biff8EncryptionKey.setCurrentUserPassword(null);
}


Error Message:
Caused by: java.lang.IllegalArgumentException: Name is too long: �J�mA��}-܏LR����M��2'n���0ՀC>�.}�2�O���$�Ǉ%�� �
ze\��������C9�Xko%i�]��d�rhd_���[�=�@|%�*�~�
	at org.apache.poi.hssf.record.WriteAccessRecord.setUsername(WriteAccessRecord.java:102)
	at org.apache.poi.hssf.record.WriteAccessRecord.<init>(WriteAccessRecord.java:70)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.apache.poi.hssf.record.RecordFactory$ReflectionConstructorRecordCreator.create(RecordFactory.java:84)
	... 92 more

Comment 2 Andreas Beeker 2022-06-14 22:09:52 UTC

if the WriteAccessRecord.sid is added to the non-encrypted records in Biff8DecryptingStream::isNeverEncryptedRecord, the file can be read.

According to [1], the WriteAccess record is not exempted from being encrypted.
I'm therefore reluctant to simply add the sid to the above method.

I need to check further in the MS-XLS docs, if there's another flag I haven't handled yet.

[1]: 2.2.10 Encryption (Password to Open) -
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/0f2ea0a1-9fc8-468d-97aa-9d333b72d106

Comment 3 Andreas Beeker 2022-06-16 22:59:43 UTC

Fixed via r1901996

Added a workaround for invalid documents of WPS office, i.e. if the document is resaved via Excel the WriteAccessRecord gets encrypted again ...