Document open - trigger http request

[bradjen]

Hi,

We create a test.txt file and put some random html:

Code: Select all

<!DOCTYPE html> <html> <body> <h1>test</h1> <img src="http://google.com/"> <br> </body> </html>


Then we change extension of file to .doc/.docx.
Later we open test.docx document using:

Code: Select all

Document document = new Document();
document.LoadFromFileInReadMode(@"test.docx", FileFormat.Auto);


What we can see from using some inspection tools, is that machine who tries to open document create a request to http://google.com.
The problem is that this address can be address of some malicious content.
Is there is any way to stop this? Can we say to Spire library does not perform any external requests?

[kylie.tian]

Hi,

Thank you for your inquiry.
Please note that the created request address(http://google.com) comes from the image path in your html. I opened the address with Google Chrome and detected it as a malicious address using the Fiddler tool. Please change to a correct image path, such as https://www.e-iceblue.com/images/Introd ... NET/DN.png (I've verified it works fine). Please feel free to contact if you have any questions.

Sincerely,
Kylie
E-iceblue support team

[bradjen]

Hi,

The provided address http://google.com was just example.
Some users are uploading that kind of documents and similar on our productio site.
We don't have control of any uploaded document, so it can be any address.
We need to be able to tell Spire.Doc to stop executing any request when opening document.
Any ideas how to do this?

Why on first place Spire.Doc open html document with extension docx (its not ziped, or xml structured like old doc).
This example is not valid docx document, and some kind of exception should be thrown.

[kylie.tian]

Hi,

As I said yesterday, opening your html in a browser itself will create the request. The reason for creating the request was not caused by our Spire.Doc, sorry we can't stop executing it. I used Microsoft Word to open your html and save it as .docx, no request was created when loading it with our Spire.Doc. This also infers that the reason for creating the request is that your document doesn't conform to the specification. You need to provide the document that is compliant with the specification and verify it with our product. Here I uploaded my saved .docx for your reference.

Sincerely,
Kylie
E-iceblue support team

[bradjen]

Hi,

Glad to know that you have tried with Microsoft Word to open this document, and then save it again in the right format,
but we would not pay a thousand dollars for a premium licence of your product in case that we have Microsoft Word running on thousand online users machines- that's for sure.
Sorry for ironical typing but that is a fact. We cant prevent any users from uploading any content to our site - so we need strong validation of uploaded Microsoft Word content.
Using third part libraries Is not an option.
Spire.Office is only responsible for handling this.
Why is your library trying to open invalid Microsoft Word files?
Can you add some validation method, or throw exception in case of corrupted or not valid Word file?

[kylie.tian]

Hi,

Sorry for the late reply due to the weekend.
I posted your requirement to our dev team for further investigation, the problem ticket is SPIREDOC-8243. Once there is any update, I will inform you. Apologize for the inconvenience.

Sincerely,
Kylie
E-iceblue support team

[bradjen]

Hi,
Any update about this issue?
Thanks.

[kylie.tian]

Hi,

I got feedback from development. Since the internal structure of our product, we cannot verify whether the input file is a valid Word file at this moment.
In addition, Spire.Doc can only judge if the url is valid, if it is, we will access it. The stop executing malicious request is out of the scope of our product, but we can provide an interface to set allowable urls and then you can add validation for these urls. If you accept this solution we can develop this feature for you.
Apologize for the inconvenience and hope you can understand.

Sincerely,
Kylie
E-iceblue support team

[bradjen]

Hi Kylie,

sorry for this late response, somehow I missed to post it.

Yes, this kind of solution is fine for us, please include this fix in future versions. It would be great to have both options - "whitelist" and "blacklist" url-s as config options.

[kylie.tian]

Hi,

If there is any good news, I will inform you immediately.

Sincerely,
Kylie
E-iceblue support team

[bradjen]

Hi,

Please check with development if this is in roadmap, and, when we can expect it in the public versions.

Kind regards.

[kylie.tian]

Hi,

Sorry I can't provide an estimated timeframe at this moment. I have urged our dev team. If there is any meaningful progress, I will let you know immediately. Thanks for your understanding.

Sincerely,
Kylie
E-iceblue support team

[bradjen]

Hi, do you have some update on this one?

[Herman.Yan]

Hi bradjen,

About “an interface to set allowable urls and then you can add validation for these urls” that previous mentioned, I am sorry to tell that there is no significant progress so far due to the complexity of the case. Our Dev team would keep looking into it. Once there’s any update, I will let you know. Sorry for the inconvenience caused.

Best Regards,
Herman
E-iceblue support team

[Herman.Yan]

Hi,

your problem, our development team conducted further investigation and discussion. Based on the sample document you provided, our product itself supports loading HTML format, and the URL ('http://google.com/') you provided itself is correct. Thus, we cannot identify it as an invalid document, and can not validate the URL's effectiveness. Otherwise, it would violate our current internal logic. We hope for your understanding.

Best Regards,
Herman
E-iceblue support team