Skip to content
This repository has been archived by the owner on Nov 9, 2020. It is now read-only.

Commit

Permalink
🐛 OOXML: Don't remove OLE objects
Browse files Browse the repository at this point in the history
They are recursively sanitised by the OLE bleach
  • Loading branch information
punkeel committed May 4, 2017
1 parent 27a46db commit 77ee356
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ public void sanitize(InputStream inputStream, OutputStream outputStream, BleachS
NPOIFSFileSystem fsIn = new NPOIFSFileSystem(inputStream);
NPOIFSFileSystem fs = new NPOIFSFileSystem()
) {
// @TODO: Filter based on Storage Class ID - see issue #23
sanitize(session, fsIn, fs);

if (ClassID.EXCEL97.equals(fs.getRoot().getStorageClsid())) {
Expand Down Expand Up @@ -72,6 +73,7 @@ protected void sanitize(BleachSession session, DirectoryEntry rootIn, DirectoryE
.and(new SummaryInformationSanitiser(session));

LOGGER.debug("Root ClassID: {}", rootIn.getStorageClsid());
rootOut.setStorageClsid(rootIn.getStorageClsid());

rootIn.getEntries().forEachRemaining(entry -> {
if (!visitor.test(entry)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,6 @@ public class OOXMLBleach implements Bleach {
Relations.VBA_PROJECT_SIGNATURE,
Relations.WORD_VBA_DATA,

// OLE Objects
Relations.OPENXML_OLE_OBJECT,
Relations.OLE_OBJECT,
Relations.E1_OBJECT,
Relations.E2_OBJECT,

// ActiveX Controls
Relations.OPENXML_CONTROL,
Relations.OPENXML_ACTIVEX_CONTROL,
Expand All @@ -69,10 +63,6 @@ public class OOXMLBleach implements Bleach {
// Blacklisting Postscript to prevent 0days
ContentTypes.POSTSCRIPT,

// OLE Objects
ContentTypes.OLE_OBJECT,
ContentTypes.PACKAGE,

// ActiveX objects
ContentTypes.ACTIVEX,
ContentTypes.OPENXML_ACTIVEX,
Expand Down

1 comment on commit 77ee356

@punkeel
Copy link
Contributor Author

@punkeel punkeel commented on 77ee356 May 4, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#23

Please sign in to comment.