[Bug 61572] New: Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 61572] New: Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

            Bug ID: 61572
           Summary: Illegal reflective access by
                    org.apache.poi.openxml4j.util.ZipSecureFile in Java 9
           Product: POI
           Version: 3.16-FINAL
          Hardware: PC
            Status: NEW
          Severity: minor
          Priority: P2
         Component: POI Overall
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

While testing Tika with java 9 we have hit:

WARNING: Illegal reflective access by
org.apache.poi.openxml4j.util.ZipSecureFile$1
(file:/E:/git/iped/target/release/iped-3.13/lib/poi-ooxml-3.16.jar) to field
 java.io.FilterInputStream.in
WARNING: All illegal access operations will be denied in a future release

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

Nick Burch <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO
                 OS|                            |All

--- Comment #1 from Nick Burch <[hidden email]> ---
Are you able to retry with Apache POI 3.17, to see if it has been fixed with
some of the more recent Java 9 testing?

If not / if it still happens, what do we need to do with Tika and/or POI to
trigger it?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

--- Comment #2 from Axel Howind <[hidden email]> ---
I can confirm that this is still happening in 3.17.final.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

Axel Howind <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

--- Comment #3 from PJ Fanning <[hidden email]> ---
Java 9 is just out and it looks we have a few issues (eg
https://bz.apache.org/bugzilla/show_bug.cgi?id=61564)

There is a plan to issue a 3.17.1 patch to fix issues when Java 9 is used.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

PJ Fanning <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |61564

--- Comment #4 from PJ Fanning <[hidden email]> ---
Java 9 is just out and it looks we have a few issues (eg
https://bz.apache.org/bugzilla/show_bug.cgi?id=61564)

There is a plan to issue a 3.17.1 patch to fix issues when Java 9 is used.


Referenced Bugs:

https://bz.apache.org/bugzilla/show_bug.cgi?id=61564
[Bug 61564] Illegal reflective access by org.apache.poi.util.DocumentHelper in
Java 9
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

--- Comment #5 from Andreas Beeker <[hidden email]> ---
Although I would like to fix this for 3.17.1, I think this can't be fixed
without changing the java zip implementation. Maybe commons compress could
help. I guess the chances are nil to get a modification into the Zip classes
?...

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

Dominik Stadler <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #6 from Dominik Stadler <[hidden email]> ---
It's not caused in the JVM, but by the usage of reflection in
ZipSecureFile.addThreshold().

I would first investigate and then discuss if there is even a fix necessary.

We do cover these code-lines in our unit-tests and we do continuous testing of
JDK 9 since some time.

Luis, can you state if you followed the steps indicated at
http://poi.apache.org/faq.html#faq-N102B0 and specified the given commandline
parameters when running your application with Java 9?

Also is the application crashing at that point or is this a mere output to
stderr. I think this one is just a warning on stderr and thus does not hinder
execution at all currently, right?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

--- Comment #7 from Axel Howind <[hidden email]> ---
Well, I think this should definitely be fixed. It's only a warning message, and
I don't expect this to have any other side effects for the time being. But if
you look at the discussions that took place during Java 9 development, the
message is: we decided last minute to allow this illegal access to give
library/software maintainers time to fix their codebase; we will disallow this
access by default in the next major release of Java. (that's not citing, it's
just what I recall from memory)

So not fixing this is just waiting for failure when the next release comes out.

I had looked into this some days ago. The code causing the issue seems to be
some kind of hotfix to prevent DOS attacks by using manipulated files (files
that contain zip bombs). To do this, an an InputStream field is read and
wrapped via reflective access. There's even already a comment in the code that
this will break in Java 9, and an explanation on how it should be fixed.

The code lies on different paths, one of which seems to be relatively easy to
fix. I think the other places are somewhat harder to fix. If I had the time,
I'd try to produce a fix. Currently, that's not the case. But if noone else
steps up, I hope I could do it before Java 10 GA. ;-)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

--- Comment #8 from Dominik Stadler <[hidden email]> ---
Sorry for the confusion, I meant mostly "releasing 3.17.1 may not be
necessary/possible", fixing the warning for 4.0.0 if possible is naturally the
way to go.

However we still will support Java 8 as main version for some time, so that is
what needs to keep working for now, not Java 9 running perfectly smooth and
Java 8 not any longer.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61572] Illegal reflective access by org.apache.poi.openxml4j.util.ZipSecureFile in Java 9

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61572

Luis Filipe Nassif <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #9 from Luis Filipe Nassif <[hidden email]> ---
Hi Nick, the reflective access to FilterInputStream.in from ZipSecureFile is
still present in POI trunk.

Hi Dominik, no, I did not add those command line parameters (--add-opens,
--add-modules, so on), although I was aware of them. Part of our app and Tika
are libraries, so not always we have control of command line parameters.

And yes, that is just a warning from the jvm and poi works with java 9. But I
think that could be improved long term to work in future versions of java.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]