Hi,
We have found a security issue that seems to have been introduced in Aspose.Cells 7.5.2.1. When we clear the workbook of table information and refresh pivot tables, some information are still retained in the modified workbook’s “SharedStrings.xml” file (inner XML file of an XLSX file). This is a security issue in cases where we’d clear the workbook’s data before saving a copy (which we can then use in the future as a base template to display the same data) into a public folder. Data should only be in the XML files if the Excel file shows any data when they are opened in MS Excel.
I have attached a small project to demonstrate the issue. I have also attached an input file “input file with pivot table” for you to use.
I have also attached the zip files of the outputs.
- generated file with Aspose.Cells 7.5.2.0
- generated file with Aspose.Cells 7.5.2.1
If you compare the “SharedStrings.xml” files of each output files, you can see the difference.
Additional Information:
- So far this only seem to be an issue with files containing pivot tables
- We are currently using Aspose.Cells 7.5.3.0 but the issue seems to have been introduced in Aspose.Cells 7.5.2.1 as the issue is not in 7.5.2.0
- We really need this issue to be resolved as soon as possible as or deadline for building a demo application was the end of today.
Hi,
Thanks for your posting and using Aspose.Cells for .NET.
We were able to observe this issue using the latest version with your source project and source file. SharedStrings.xml still retains some information when latest version is used even when that information has been cleared from generated workbook. We have logged this issue in our database. We will look into it and resolve this issue. Once, the issue is resolved or we have some other update for you, we will let you know asap.
This issue has been logged as CELLSNET-42025.
Hi,
Hi I have just downloaded the recent version of Aspose.Cells 7.5.3.2. Since it is 1 mini version higher than what we expected the next build could be (7.5.3.1) I thought I might as well test to see if this issue was fix from another poster’s raised issue. I cannot seem to reproduce this bug in the latest issue, could you please confirm this?
Additional Information:
- We used a tool (Agent Ransack) to check if certain potentially sensitive information is still in the cleared output file as well as extracted the xlsx file into a folder of its xml contents.
Hi,
The issues you have found earlier (filed as CELLSNET-42025) have been fixed in this update.
This message was posted using Notification2Forum from Downloads module by Aspose Notifier.