Hi,
In documents generated by Aspose.Words in the document.xml there is a version disclosure in a XML comment:
Where X is the version of Aspose used to generate the document.
Is there any way to remove this version disclosure?
The reason i’m asking is because we recently did a security review that identified this as a possible attack vector and information leakage.
We could open the .docx zip and then clean the XML to remove the information disclosure but that is of course a bit cumbersome.
Awais,
Any news on this - it’s been more than one month now?
Hi Andreas,
Thanks for your inquiry. Unfortunately, this issue (WORDSNET-14282) is not resolved yet. This issue is currently pending for analysis and is in the queue. We will inform you via this thread as soon as this issue is resolved. We apologize for any inconvenience.
Best regards,
We went ahead and worked around this by modifying the Aspose .docx/zip output stream directly.
If anyone else reading this is interested this can be done using standard .Net 4.5 ZipArchive.
Pass the Aspose docx output stream through something like this:
private static void RemoveDocxComments(Stream inputStream)
{
if (inputStream.CanSeek) inputStream.Seek(0, SeekOrigin.Begin);
using (var archive = new ZipArchive(inputStream, ZipArchiveMode.Update, false))
{
var entry = archive.GetEntry(“word/document.xml”);
if (entry == null) return;
using (var entryStream = entry.Open())
using (var reader = new StreamReader(entryStream, Encoding.UTF8))
{
var cleanedXml = new Regex("").Replace(reader.ReadToEnd(), “”);
using (var streamWriter = new StreamWriter(entryStream))
{
entryStream.SetLength(0);
streamWriter.Write(cleanedXml);
streamWriter.Flush();
}
}
}
}
Hi Andreas,
We have passed this information to our product team and will keep you posted on any further updates.
Best regards,