Spire.Doc is a professional Word .NET library specifically designed for developers to create, read, write, convert and print Word document files from any .NET platform (C#, VB.NET, ASP.NET, .NET Core) and Java applications (J2SE and J2EE) with fast and high quality performance.

Wed Jul 20, 2022 9:58 am

Hi,

We create a test.txt file and put some random html:
Code: Select all
<!DOCTYPE html> <html> <body> <h1>test</h1> <img src="http://google.com/"> <br> </body> </html>

Then we change extension of file to .doc/.docx.
Later we open test.docx document using:
Code: Select all
Document document = new Document();
document.LoadFromFileInReadMode(@"test.docx", FileFormat.Auto);

What we can see from using some inspection tools, is that machine who tries to open document create a request to http://google.com.
The problem is that this address can be address of some malicious content.
Is there is any way to stop this? Can we say to Spire library does not perform any external requests?

bradjen
 
Posts: 13
Joined: Thu Jul 25, 2019 6:07 am

Thu Jul 21, 2022 9:17 am

Hi,

Thank you for your inquiry.
Please note that the created request address(http://google.com) comes from the image path in your html. I opened the address with Google Chrome and detected it as a malicious address using the Fiddler tool. Please change to a correct image path, such as https://www.e-iceblue.com/images/Introd ... NET/DN.png (I've verified it works fine). Please feel free to contact if you have any questions.

Sincerely,
Kylie
E-iceblue support team
User avatar

kylie.tian
 
Posts: 388
Joined: Mon Mar 07, 2022 2:30 am

Thu Jul 21, 2022 11:24 am

Hi,

The provided address http://google.com was just example.
Some users are uploading that kind of documents and similar on our productio site.
We don't have control of any uploaded document, so it can be any address.
We need to be able to tell Spire.Doc to stop executing any request when opening document.
Any ideas how to do this?

Why on first place Spire.Doc open html document with extension docx (its not ziped, or xml structured like old doc).
This example is not valid docx document, and some kind of exception should be thrown.

bradjen
 
Posts: 13
Joined: Thu Jul 25, 2019 6:07 am

Fri Jul 22, 2022 9:42 am

Hi,

As I said yesterday, opening your html in a browser itself will create the request. The reason for creating the request was not caused by our Spire.Doc, sorry we can't stop executing it. I used Microsoft Word to open your html and save it as .docx, no request was created when loading it with our Spire.Doc. This also infers that the reason for creating the request is that your document doesn't conform to the specification. You need to provide the document that is compliant with the specification and verify it with our product. Here I uploaded my saved .docx for your reference.

Sincerely,
Kylie
E-iceblue support team
User avatar

kylie.tian
 
Posts: 388
Joined: Mon Mar 07, 2022 2:30 am

Fri Jul 22, 2022 1:47 pm

Hi,

Glad to know that you have tried with Microsoft Word to open this document, and then save it again in the right format,
but we would not pay a thousand dollars for a premium licence of your product in case that we have Microsoft Word running on thousand online users machines- that's for sure.
Sorry for ironical typing but that is a fact. We cant prevent any users from uploading any content to our site - so we need strong validation of uploaded Microsoft Word content.
Using third part libraries Is not an option.
Spire.Office is only responsible for handling this.
Why is your library trying to open invalid Microsoft Word files?
Can you add some validation method, or throw exception in case of corrupted or not valid Word file?

bradjen
 
Posts: 13
Joined: Thu Jul 25, 2019 6:07 am

Mon Jul 25, 2022 9:45 am

Hi,

Sorry for the late reply due to the weekend.
I posted your requirement to our dev team for further investigation, the problem ticket is SPIREDOC-8243. Once there is any update, I will inform you. Apologize for the inconvenience.

Sincerely,
Kylie
E-iceblue support team
User avatar

kylie.tian
 
Posts: 388
Joined: Mon Mar 07, 2022 2:30 am

Fri Aug 05, 2022 7:27 am

Hi,
Any update about this issue?
Thanks.

bradjen
 
Posts: 13
Joined: Thu Jul 25, 2019 6:07 am

Fri Aug 05, 2022 9:56 am

Hi,

I got feedback from development. Since the internal structure of our product, we cannot verify whether the input file is a valid Word file at this moment.
In addition, Spire.Doc can only judge if the url is valid, if it is, we will access it. The stop executing malicious request is out of the scope of our product, but we can provide an interface to set allowable urls and then you can add validation for these urls. If you accept this solution we can develop this feature for you.
Apologize for the inconvenience and hope you can understand.

Sincerely,
Kylie
E-iceblue support team
User avatar

kylie.tian
 
Posts: 388
Joined: Mon Mar 07, 2022 2:30 am

Return to Spire.Doc