You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by bu...@apache.org on 2017/09/29 00:30:06 UTC
[Bug 61572] New: Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Bug ID: 61572
Summary: Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Product: POI
Version: 3.16-FINAL
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: POI Overall
Assignee: dev@poi.apache.org
Reporter: lfcnassif@gmail.com
Target Milestone: ---
While testing Tika with java 9 we have hit:
WARNING: Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile$1
(file:/E:/git/iped/target/release/iped-3.13/lib/poi-ooxml-3.16.jar) to field
java.io.FilterInputStream.in
WARNING: All illegal access operations will be denied in a future release
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Dominik Stadler <do...@gmx.at> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|minor |enhancement
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Andreas Beeker <ki...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #13 from Andreas Beeker <ki...@apache.org> ---
Fixed via #62187
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
PJ Fanning <fa...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lg.lindstrom@consius.se
--- Comment #10 from PJ Fanning <fa...@yahoo.com> ---
*** Bug 62034 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
PJ Fanning <fa...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |61564
--- Comment #4 from PJ Fanning <fa...@yahoo.com> ---
Java 9 is just out and it looks we have a few issues (eg
https://bz.apache.org/bugzilla/show_bug.cgi?id=61564)
There is a plan to issue a 3.17.1 patch to fix issues when Java 9 is used.
Referenced Bugs:
https://bz.apache.org/bugzilla/show_bug.cgi?id=61564
[Bug 61564] Illegal reflective access by org.apache.poi.util.DocumentHelper in
Java 9
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
--- Comment #5 from Andreas Beeker <ki...@apache.org> ---
Although I would like to fix this for 3.17.1, I think this can't be fixed
without changing the java zip implementation. Maybe commons compress could
help. I guess the chances are nil to get a modification into the Zip classes
?...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
PJ Fanning <fa...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sergei.visotsky@gmail.com
--- Comment #12 from PJ Fanning <fa...@yahoo.com> ---
*** Bug 62050 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Luis Filipe Nassif <lf...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #9 from Luis Filipe Nassif <lf...@gmail.com> ---
Hi Nick, the reflective access to FilterInputStream.in from ZipSecureFile is
still present in POI trunk.
Hi Dominik, no, I did not add those command line parameters (--add-opens,
--add-modules, so on), although I was aware of them. Part of our app and Tika
are libraries, so not always we have control of command line parameters.
And yes, that is just a warning from the jvm and poi works with java 9. But I
think that could be improved long term to work in future versions of java.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
--- Comment #7 from Axel Howind <ax...@dua3.com> ---
Well, I think this should definitely be fixed. It's only a warning message, and
I don't expect this to have any other side effects for the time being. But if
you look at the discussions that took place during Java 9 development, the
message is: we decided last minute to allow this illegal access to give
library/software maintainers time to fix their codebase; we will disallow this
access by default in the next major release of Java. (that's not citing, it's
just what I recall from memory)
So not fixing this is just waiting for failure when the next release comes out.
I had looked into this some days ago. The code causing the issue seems to be
some kind of hotfix to prevent DOS attacks by using manipulated files (files
that contain zip bombs). To do this, an an InputStream field is read and
wrapped via reflective access. There's even already a comment in the code that
this will break in Java 9, and an explanation on how it should be fixed.
The code lies on different paths, one of which seems to be relatively easy to
fix. I think the other places are somewhat harder to fix. If I had the time,
I'd try to produce a fix. Currently, that's not the case. But if noone else
steps up, I hope I could do it before Java 10 GA. ;-)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Dominik Stadler <do...@gmx.at> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #6 from Dominik Stadler <do...@gmx.at> ---
It's not caused in the JVM, but by the usage of reflection in
ZipSecureFile.addThreshold().
I would first investigate and then discuss if there is even a fix necessary.
We do cover these code-lines in our unit-tests and we do continuous testing of
JDK 9 since some time.
Luis, can you state if you followed the steps indicated at
http://poi.apache.org/faq.html#faq-N102B0 and specified the given commandline
parameters when running your application with Java 9?
Also is the application crashing at that point or is this a mere output to
stderr. I think this one is just a warning on stderr and thus does not hinder
execution at all currently, right?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
--- Comment #3 from PJ Fanning <fa...@yahoo.com> ---
Java 9 is just out and it looks we have a few issues (eg
https://bz.apache.org/bugzilla/show_bug.cgi?id=61564)
There is a plan to issue a 3.17.1 patch to fix issues when Java 9 is used.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
--- Comment #8 from Dominik Stadler <do...@gmx.at> ---
Sorry for the confusion, I meant mostly "releasing 3.17.1 may not be
necessary/possible", fixing the warning for 4.0.0 if possible is naturally the
way to go.
However we still will support Java 8 as main version for some time, so that is
what needs to keep working for now, not Java 9 running perfectly smooth and
Java 8 not any longer.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
--- Comment #2 from Axel Howind <ax...@dua3.com> ---
I can confirm that this is still happening in 3.17.final.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Andreas Beeker <ki...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |62187
Referenced Bugs:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62187
[Bug 62187] Compiling with Java 10 fails with ClassCastException:
org.apache.poi.openxml4j.util.ZipSecureFile$ThresholdInputStream cannot be cast
to java.base/java.util.zip.ZipFile$ZipFileInputStream
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Axel Howind <ax...@dua3.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Nick Burch <ap...@gagravarr.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
OS| |All
--- Comment #1 from Nick Burch <ap...@gagravarr.org> ---
Are you able to retry with Apache POI 3.17, to see if it has been fixed with
some of the more recent Java 9 testing?
If not / if it still happens, what do we need to do with Tika and/or POI to
trigger it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
PJ Fanning <fa...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |wcgrnway@cox.net
--- Comment #11 from PJ Fanning <fa...@yahoo.com> ---
*** Bug 61991 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Bug 61572 depends on bug 61564, which changed state.
Bug 61564 Summary: Illegal reflective access by org.apache.poi.util.DocumentHelper in Java 9
https://bz.apache.org/bugzilla/show_bug.cgi?id=61564
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 61572] Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572
Jan Peter Stotz <jp...@gmx.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jpstotz@gmx.de
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org