We're sorry Aspose doesn't work properply without JavaScript enabled.

Free Support Forum - aspose.com

Security - remove version disclosure in generated documents

Hi,


In documents generated by Aspose.Words in the document.xml there is a version disclosure in a XML comment:
Where X is the version of Aspose used to generate the document.

Is there any way to remove this version disclosure?

The reason i’m asking is because we recently did a security review that identified this as a possible attack vector and information leakage.

We could open the .docx zip and then clean the XML to remove the information disclosure but that is of course a bit cumbersome.

Hi Andreas,


Thanks for your inquiry. For the sake of any correction, we have logged this problem as WORDSNET-14282 in our issue tracking system. Our product team will further look into the details of this problem and we will keep you updated on the status of this issue. We apologize for any inconvenience.

Best regards,

Awais,


Any news on this - it’s been more than one month now?
Hi Andreas,

Thanks for your inquiry. Unfortunately, this issue (WORDSNET-14282) is not resolved yet. This issue is currently pending for analysis and is in the queue. We will inform you via this thread as soon as this issue is resolved. We apologize for any inconvenience.

Best regards,

We went ahead and worked around this by modifying the Aspose .docx/zip output stream directly.


If anyone else reading this is interested this can be done using standard .Net 4.5 ZipArchive.

Pass the Aspose docx output stream through something like this:

private static void RemoveDocxComments(Stream inputStream)
{
if (inputStream.CanSeek) inputStream.Seek(0, SeekOrigin.Begin);
using (var archive = new ZipArchive(inputStream, ZipArchiveMode.Update, false))
{
var entry = archive.GetEntry(“word/document.xml”);
if (entry == null) return;
using (var entryStream = entry.Open())
using (var reader = new StreamReader(entryStream, Encoding.UTF8))
{
var cleanedXml = new Regex("").Replace(reader.ReadToEnd(), “”);
using (var streamWriter = new StreamWriter(entryStream))
{
entryStream.SetLength(0);
streamWriter.Write(cleanedXml);
streamWriter.Flush();
}
}
}
}

Hi Andreas,


We have passed this information to our product team and will keep you posted on any further updates.

Best regards,

Hi Andreas,


Regarding WORDSNET-14282, our product team has completed the work on your issue and has come to a conclusion that they won’t be able to implement the fix to your issue because of company policies. Your issue (WORDSNET-14282) has now been closed with ‘Won’t Fix’ resolution. You may keep using the workaround code that you found earlier to meet this requirement. We apologize for any inconvenience.

Best regards,