You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by dn...@apache.org on 2016/08/01 12:51:24 UTC

svn commit: r1754744 - in /poi: site/src/documentation/content/xdocs/ trunk/src/java/org/apache/poi/poifs/crypt/ trunk/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/ trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/

Author: dnorth
Date: Mon Aug  1 12:51:24 2016
New Revision: 1754744

URL: http://svn.apache.org/viewvc?rev=1754744&view=rev
Log:
Fix zero-padding and handling of empty passwords (meaning protection on, but no password to remove it) for XSSF workbook protection.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59920

Modified:
    poi/site/src/documentation/content/xdocs/status.xml
    poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
    poi/trunk/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/XSSFPaswordHelper.java
    poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFSheet.java

Modified: poi/site/src/documentation/content/xdocs/status.xml
URL: http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/status.xml?rev=1754744&r1=1754743&r2=1754744&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/status.xml (original)
+++ poi/site/src/documentation/content/xdocs/status.xml Mon Aug  1 12:51:24 2016
@@ -76,6 +76,7 @@
         <action dev="PD" type="add" fixes-bug="59781">Common SS: Move PaneInformation from HSSF to SS package</action>
         <action dev="PD" type="fix" fixes-bug="59766">When setting SAX features, handle Error too (eg from Google AppEngine)</action>
         <action dev="PD" type="fix" fixes-bug="59734">Make lookup and creation of named ranges constant-time instead of linear in the number of ranges in the workbook.</action>
+        <action dev="PD" type="fix" fixes-bug="59920">Fix regression in the handling of empty passwords for workbook protection.</action>
     </release>
 
     <release version="3.15-beta2" date="2016-07-02">

Modified: poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java?rev=1754744&r1=1754743&r2=1754744&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java (original)
+++ poi/trunk/src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java Mon Aug  1 12:51:24 2016
@@ -374,20 +374,22 @@ public class CryptoFunctions {
         // SET Verifier TO 0x0000
         short verifier = 0;
 
-        // FOR EACH PasswordByte IN PasswordArray IN REVERSE ORDER
-        for (int i = arrByteChars.length-1; i >= 0; i--) {
-            // SET Verifier TO Intermediate3 BITWISE XOR PasswordByte
+        if (!"".equals(password)) {
+            // FOR EACH PasswordByte IN PasswordArray IN REVERSE ORDER
+            for (int i = arrByteChars.length-1; i >= 0; i--) {
+                // SET Verifier TO Intermediate3 BITWISE XOR PasswordByte
+                verifier = rotateLeftBase15Bit(verifier);
+                verifier ^= arrByteChars[i];
+            }
+    
+            // as we haven't prepended the password length into the input array
+            // we need to do it now separately ...
             verifier = rotateLeftBase15Bit(verifier);
-            verifier ^= arrByteChars[i];
+            verifier ^= arrByteChars.length;
+            
+            // RETURN Verifier BITWISE XOR 0xCE4B
+            verifier ^= 0xCE4B; // (0x8000 | ('N' << 8) | 'K')
         }
-
-        // as we haven't prepended the password length into the input array
-        // we need to do it now separately ...
-        verifier = rotateLeftBase15Bit(verifier);
-        verifier ^= arrByteChars.length;
-        
-        // RETURN Verifier BITWISE XOR 0xCE4B
-        verifier ^= 0xCE4B; // (0x8000 | ('N' << 8) | 'K')
         
         return verifier & 0xFFFF;
     }

Modified: poi/trunk/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/XSSFPaswordHelper.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/XSSFPaswordHelper.java?rev=1754744&r1=1754743&r2=1754744&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/XSSFPaswordHelper.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/xssf/usermodel/helpers/XSSFPaswordHelper.java Mon Aug  1 12:51:24 2016
@@ -55,8 +55,8 @@ public class XSSFPaswordHelper {
         cur.toFirstContentToken();
         if (hashAlgo == null) {
             int hash = CryptoFunctions.createXorVerifier1(password);
-            cur.insertAttributeWithValue(getAttrName(prefix, "password"), 
-                                         Integer.toHexString(hash).toUpperCase(Locale.ROOT));
+            cur.insertAttributeWithValue(getAttrName(prefix, "password"),
+                                         String.format(Locale.ROOT, "%04X", hash).toUpperCase(Locale.ROOT));
         } else {
             SecureRandom random = new SecureRandom(); 
             byte salt[] = random.generateSeed(16);

Modified: poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFSheet.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFSheet.java?rev=1754744&r1=1754743&r2=1754744&view=diff
==============================================================================
--- poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFSheet.java (original)
+++ poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFSheet.java Mon Aug  1 12:51:24 2016
@@ -80,6 +80,7 @@ import org.openxmlformats.schemas.spread
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTXf;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.STCalcMode;
 import org.openxmlformats.schemas.spreadsheetml.x2006.main.STPane;
+import org.openxmlformats.schemas.spreadsheetml.x2006.main.STUnsignedShortHex;
 
 
 public final class TestXSSFSheet extends BaseTestXSheet {
@@ -1099,6 +1100,30 @@ public final class TestXSSFSheet extends
         wb.close();
     }
 
+    @Test
+    public void protectSheet_emptyPassword() throws IOException {
+        XSSFWorkbook wb = new XSSFWorkbook();
+        XSSFSheet sheet = wb.createSheet();
+        CTSheetProtection pr = sheet.getCTWorksheet().getSheetProtection();
+        assertNull("CTSheetProtection should be null by default", pr);
+        String password = "";
+        sheet.protectSheet(password);
+        pr = sheet.getCTWorksheet().getSheetProtection();
+        assertNotNull("CTSheetProtection should be not null", pr);
+        assertTrue("sheet protection should be on", pr.isSetSheet());
+        assertTrue("object protection should be on", pr.isSetObjects());
+        assertTrue("scenario protection should be on", pr.isSetScenarios());
+        int hashVal = CryptoFunctions.createXorVerifier1(password);
+        STUnsignedShortHex xpassword = pr.xgetPassword();
+        int actualVal = Integer.parseInt(xpassword.getStringValue(),16);
+        assertEquals("well known value for top secret hash should match", hashVal, actualVal);
+
+        sheet.protectSheet(null);
+        assertNull("protectSheet(null) should unset CTSheetProtection", sheet.getCTWorksheet().getSheetProtection());
+
+        wb.close();
+    }
+
     @Test
     public void protectSheet_lowlevel_2013() throws IOException {
         String password = "test";



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org