pashko/apache-poi
1
0
Fork 0
mirror of https://github.com/apache/poi.git synced 2026-02-27 20:40:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
apache-poi/content/index.html
PJ Fanning e901a2c083 publish site
2026-02-16 20:14:18 +01:00

470 lines
22 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta content="Apache Forrest" name="Generator">
<meta name="Forrest-version" content="0.9">
<meta name="Forrest-skin-name" content="pelt">
<title>Apache POI&trade; - the Java API for Microsoft Documents</title>
<link type="text/css" href="skin/basic.css" rel="stylesheet">
<link media="screen" type="text/css" href="skin/screen.css" rel="stylesheet">
<link media="print" type="text/css" href="skin/print.css" rel="stylesheet">
<link type="text/css" href="skin/profile.css" rel="stylesheet">
<script src="skin/getBlank.js" language="javascript" type="text/javascript"></script><script src="skin/getMenu.js" language="javascript" type="text/javascript"></script><script src="skin/fontsize.js" language="javascript" type="text/javascript"></script>
<link rel="shortcut icon" href="images/favicon.ico">
</head>
<body onload="init()">
<script type="text/javascript">ndeSetTextSize();</script>
<div id="top">
<!--+
|breadtrail
+-->
<div class="breadtrail">
<a href="https://www.apache.org">Apache Software Foundation</a> &gt; <a href="https://poi.apache.org">Apache POI</a><script src="skin/breadcrumbs.js" language="JavaScript" type="text/javascript"></script>
</div>
<!--+
|header
+-->
<div class="header">
<!--+
|start group logo
+-->
<div class="grouplogo">
<a href="https://www.apache.org"><img class="logoImage" alt="Apache Software Foundation" src="images/asflogo_horizontal_color.svg" title="The Apache Software Foundation is a cornerstone of the modern Open Source software ecosystem &ndash; supporting some of the most widely used and important software solutions powering today's Internet economy."></a>
</div>
<!--+
|end group logo
+-->
<!--+
|start Project Logo
+-->
<div class="projectlogo">
<a href="https://poi.apache.org"><img class="logoImage" alt="Apache POI" src="images/project-header.png" title="Apache POI is well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Word, Visio, Publisher and Outlook. It supports both the older (OLE2) and new (OOXML - Office Open XML) formats."></a>
</div>
<!--+
|end Project Logo
+-->
<!--+
|start Search
+-->
<div class="searchbox">
<form action="https://www.google.com/search" method="get" class="roundtopsmall">
<input value="poi.apache.org" name="sitesearch" type="hidden"><input onFocus="getBlank (this, 'Search the site with google');" size="25" name="q" id="query" type="text" value="Search the site with google">&nbsp;
<input name="Search" value="Search" type="submit">
</form>
</div>
<!--+
|end search
+-->
<!--+
|start Tabs
+-->
<ul id="tabs">
<li class="current">
<a class="selected" href="index.html">Home</a>
</li>
<li>
<a class="unselected" href="help/index.html">Help</a>
</li>
<li>
<a class="unselected" href="components/index.html">Component APIs</a>
</li>
<li>
<a class="unselected" href="devel/index.html">Getting Involved</a>
</li>
</ul>
<!--+
|end Tabs
+-->
</div>
</div>
<div id="main">
<div id="publishedStrip">
<!--+
|start Subtabs
+-->
<div id="level2tabs"></div>
<!--+
|end Endtabs
+-->
<script type="text/javascript"><!--
document.write("Last Published: " + document.lastModified);
// --></script>
</div>
<!--+
|breadtrail
+-->
<div class="breadtrail">
&nbsp;
</div>
<!--+
|start Menu, mainarea
+-->
<!--+
|start Menu
+-->
<div id="menu">
<div onclick="SwitchMenu('menu_selected_1.1', 'skin/')" id="menu_selected_1.1Title" class="menutitle" style="background-image: url('skin/images/chapter_open.gif');">Overview</div>
<div id="menu_selected_1.1" class="selectedmenuitemgroup" style="display: block;">
<div class="menupage">
<div class="menupagetitle">Home</div>
</div>
<div class="menuitem">
<a href="download.html">Download</a>
</div>
<div class="menuitem">
<a href="versioning.html">Versioning</a>
</div>
<div class="menuitem">
<a href="changes.html">Changelog</a>
</div>
<div class="menuitem">
<a href="apidocs/index.html">Javadocs</a>
</div>
<div class="menuitem">
<a href="text-extraction.html">Text Extraction</a>
</div>
<div class="menuitem">
<a href="encryption.html">Encryption support</a>
</div>
<div class="menuitem">
<a href="security.html">Secure processing</a>
</div>
<div class="menuitem">
<a href="casestudies.html">Case Studies</a>
</div>
<div class="menuitem">
<a href="related-projects.html">Related projects</a>
</div>
<div class="menuitem">
<a href="commercial-support.html">Commercial Support</a>
</div>
<div class="menuitem">
<a href="legal.html">Legal</a>
</div>
</div>
<div onclick="SwitchMenu('menu_1.2', 'skin/')" id="menu_1.2Title" class="menutitle">Apache Wide</div>
<div id="menu_1.2" class="menuitemgroup">
<div class="menuitem">
<a href="https://www.apache.org/">Apache Software Foundation</a>
</div>
<div class="menuitem">
<a href="https://www.apache.org/licenses/">License</a>
</div>
<div class="menuitem">
<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
</div>
<div class="menuitem">
<a href="https://www.apache.org/foundation/thanks.html">Thanks</a>
</div>
<div class="menuitem">
<a href="https://www.apache.org/security/">Security</a>
</div>
<div class="menuitem">
<a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a>
</div>
</div>
<div id="credit">
<hr>
<a href="https://www.apache.org/events/current-event.html"><img border="0" title="Apache Event" alt="Apache Event - logo" src="https://www.apache.org/events/current-event-125x125.png" style="width: 125px;height: 125px;"></a>
</div>
<div id="roundbottom">
<img style="display: none" class="corner" height="15" width="15" alt="" src="skin/images/rc-b-l-15-1body-2menu-3menu.png"></div>
<!--+
|alternative credits
+-->
<div id="credit2">
<a href="https://donate.apache.org/"><img border="0" title="Support Apache" alt="Support Apache - logo" src="images/support-asf.png" style="width: 125px;height: 125px;"></a><a href="https://www.apache.org/foundation/press/kit/#poweredby"><img border="0" title="powered by POI" alt="powered by POI - logo" src="images/poweredby-poi-logo.png" style="width: 125px;height: 125px;"></a>
</div>
</div>
<!--+
|end Menu
+-->
<!--+
|start content
+-->
<div id="content">
<h1>Apache POI&trade; - the Java API for Microsoft Documents</h1>
<div id="front-matter"></div>
<a name="Project+News"></a>
<h2 class="boxed">Project News</h2>
<div class="section">
<a name="30+November+2025+-+POI+5.5.1+available"></a>
<h3 class="boxed">30 November 2025 - POI 5.5.1 available</h3>
<p>The Apache POI team is pleased to announce the release of 5.5.1.
Several dependencies were updated to their latest versions to pick up security fixes and other improvements.</p>
<p>A summary of changes is available in the
<a href="https://www.apache.org/dyn/closer.lua/poi/release/RELEASE-NOTES.txt">Release Notes</a>.
A full list of changes is available in the <a href="changes.html#5.5.1">change log</a>.
People interested should also follow the <a href="help/index.html">dev list</a> to track progress.</p>
<p>See the <a href="download.html#POI-5.5.1">downloads</a> page for more details.</p>
<p>POI requires Java 8 or newer since version 4.0.1.</p>
<a name="7+July+2025+-+Source+repository+switched+from+Subversion+to+Git"></a>
<h3 class="boxed">7 July 2025 - Source repository switched from Subversion to Git</h3>
<p>
Apache POI switched hosting of the source repository from Subversion to Git.
</p>
<p>
After Subversion served the project well for many years, it was time to enable more
up-to-date workflows by using more of the features offered by Git-based platforms like
GitHub.
</p>
<p>
Therefore the source-code is now officially available at the previous
read-only mirror at <a href="https://github.com/apache/poi">https://github.com/apache/poi</a>.
</p>
<p>
This hopefully allows a smooth transition for anybody already using Git via
the read-only mirror.
</p>
<p>
Users who still used the Subversion-based repository will need to checkout a
fresh copy and migrate any pending changes.
</p>
<a name="8+April+2025+-+CVE-2025-31672+-+Improper+Input+Validation+vulnerability+in+Apache+POI+before+5.4.0"></a>
<h3 class="boxed">8 April 2025 - CVE-2025-31672 - Improper Input Validation vulnerability in Apache POI before 5.4.0</h3>
<p>
While parsing of OOXML format files like xlsx, docx and pptx, a specially crafted file could
be used to provide multiple entries with the same name in the zip-compressed file-format.
<br>
Products reading the affected file could read different data because one of the zip entries with the
duplicate name is selected over another by different products differently.<br>
<br>
This issue affects Apache POI component poi-ooxml before 5.4.0. Starting with 5.4.0 poi-ooxml performs
a check that throws an exception if zip entries with duplicate file names are found in the input file.<br>
<br>
Users are recommended to upgrade to version poi-ooxml 5.4.0 or later, which fixes the issue.
Please refer to our <a href="https://poi.apache.org/security.html">security guidelines</a>
for recommendations about how to use the POI libraries securely.
</p>
<p>
References:
</p>
<ul>
<li>
<a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=69620">Bug 69620</a>
</li>
<li>
<a href="https://www.cve.org/CVERecord?id=CVE-2025-31672">CVE-2025-31672</a>
</li>
</ul>
<a name="11+November+2024+-+Avoid+log4j-api+2.24.1"></a>
<h3 class="boxed">11 November 2024 - Avoid log4j-api 2.24.1</h3>
<p>While testing a potential Apache POI 5.4.0 release, we discovered a serious bug in
log4j-api 2.24.1. This leads to NullPointerExceptions when you use a version of log4j-core that is not of
the exact same version (2.24.1). We recommend that users avoid log4j 2.24.1 and use the latest
2.24.x version where this issue is fixed again.</p>
<p>XMLBeans release 5.2.2 had the problematic log4j-api 2.24.1 dependency and thus
can lead to such issues if used in some other context. In the meantime a version 5.3.0
of XmlBeans was released which avoids this issue.</p>
<p>Please direct any queries to the Log4j Team. The main issue is
<a href="https://github.com/apache/logging-log4j2/issues/3143">Issue 3143</a>.</p>
<a name="4+March+2022+-+CVE-2022-26336+-+A+carefully+crafted+TNEF+file+can+cause+an+out+of+memory+exception+in+Apache+POI+poi-scratchpad+versions+prior+to+5.2.0"></a>
<h3 class="boxed">4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0</h3>
<p>Description:<br>
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception.
This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server).
If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.</p>
<p>Mitigation:<br>
Affected users are advised to update to poi-scratchpad 5.2.1 or above
which fixes this vulnerability. It is recommended that you use the same versions of all POI jars.</p>
<a name="10%2B16%2B18+December+2021-+Log4j+vulnerabilities+CVE-2021-44228%2C+CVE-2021-45046+and+CVE-2021-45105"></a>
<h3 class="boxed">10+16+18 December 2021- Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105</h3>
<p>The Apache POI PMC has evaluated the security vulnerabilities reported
for Apache Log4j.</p>
<p>POI 5.1.0 and XMLBeans 5.0.2 only have dependencies on log4j-api 2.14.1.
The security vulnerabilities are not in log4j-api - they are in log4j-core.</p>
<p>If any POI or XMLBeans user uses log4j-core to control their logging of their application,
we strongly recommend that they upgrade all their log4j dependencies to the latest
version (currently v2.20.0) - including log4j-api.</p>
<a name="13+January+2021+-+CVE-2021-23926+-+XML+External+Entity+%28XXE%29+Processing+in+Apache+XMLBeans+versions+prior+to+3.0.0"></a>
<h3 class="boxed">13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0</h3>
<p>Description:<br>
When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser
created by XMLBeans could be susceptible to XML External Entity (XXE) attacks.</p>
<p>This issue was fixed a few years ago but on review, we decided we should have a CVE
to raise awareness of the issue.</p>
<p>Mitigation:<br>
Affected users are advised to update to Apache XMLBeans 3.0.0 or above
which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.</p>
<p>References:
<a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a>
</p>
<a name="20+October+2019+-+CVE-2019-12415+-+XML+External+Entity+%28XXE%29+Processing+in+Apache+POI+versions+prior+to+4.1.1"></a>
<h3 class="boxed">20 October 2019 - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI versions prior to 4.1.1</h3>
<p>Description:<br>
When using the tool XSSFExportToXml to convert user-provided Microsoft
Excel documents, a specially crafted document can allow an attacker to
read files from the local filesystem or from internal network resources
via XML External Entity (XXE) Processing.</p>
<p>Mitigation:<br>
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
are not affected. Affected users are advised to update to Apache POI 4.1.1
which fixes this vulnerability.</p>
<p>Credit:
This issue was discovered by Artem Smotrakov from SAP</p>
<p>References:
<a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a>
</p>
<a name="26+March+2019+-+XMLBeans+3.1.0+available"></a>
<h3 class="boxed">26 March 2019 - XMLBeans 3.1.0 available</h3>
<p>The Apache POI team is pleased to announce the release of XMLBeans 3.1.0.
Featured are a handful of bug fixes.</p>
<p>The Apache POI project has unretired the XMLBeans codebase and is maintaining it as a sub-project,
due to its importance in the poi-ooxml codebase.</p>
<p>A summary of changes is available in the
<a href="https://svn.apache.org/viewvc/xmlbeans/trunk/CHANGES.txt?view=markup">Release Notes</a>.
People interested should also follow the <a href="help/index.html">POI dev list</a> to track progress.</p>
<p>The XMLBeans <a href="https://issues.apache.org/jira/projects/XMLBEANS">JIRA project</a> has been reopened and feel free to open issues.</p>
<p>POI 4.1.0 uses XMLBeans 3.1.0.</p>
<p>XMLBeans requires Java 6 or newer since version 3.0.2.</p>
<a name="11+January+2019+-+Initial+support+for+JDK+11"></a>
<h3 class="boxed">11 January 2019 - Initial support for JDK 11</h3>
<p>We did some work to verify that compilation with Java 11 is working and
that all unit-tests pass.
</p>
<p>See the details in the <a href="help/faq.html#faq-N102B0">FAQ entry</a>.</p>
</div>
<a name="Mission+Statement"></a>
<h2 class="boxed">Mission Statement</h2>
<div class="section">
<p>
The Apache POI Project's mission is to create and maintain Java APIs for manipulating various file formats
based upon the Office Open XML standards (OOXML) and Microsoft's OLE 2 Compound Document format (OLE2).
In short, you can read and write MS Excel files using Java.
In addition, you can read and write MS Word and MS PowerPoint files using Java. Apache POI is your Java Excel
solution (for Excel 97-2008). We have a complete API for porting other OOXML and OLE2 formats and welcome others to participate.
</p>
<p>
OLE2 files include most Microsoft Office files such as XLS, DOC, and PPT as well as MFC serialization API based file formats.
The project provides APIs for the <a href="components/poifs/">OLE2 Filesystem (POIFS)</a> and
<a href="components/hpsf/">OLE2 Document Properties (HPSF)</a>.
</p>
<p>
Office OpenXML Format is the new standards based XML file format found in Microsoft Office 2007 and 2008.
This includes XLSX, DOCX and PPTX. The project provides a low level API to support the Open Packaging Conventions
using <a href="components/oxml4j/index.html">openxml4j</a>.
</p>
<p>
For each MS Office application there exists a component module that attempts to provide a common high level Java api to both OLE2 and OOXML
document formats. This is most developed for <a href="components/spreadsheet/">Excel workbooks (SS=HSSF+XSSF)</a>.
Work is progressing for <a href="components/document/">Word documents (WP=HWPF+XWPF)</a> and
<a href="components/slideshow/">PowerPoint presentations (SL=HSLF+XSLF)</a>.
</p>
<p>
The project has some support for <a href="components/hsmf/index.html">Outlook (HSMF)</a>. Microsoft opened the specifications
to this format in October 2007. We would welcome contributions.
</p>
<p>
There are also projects for
<a href="components/diagram/index.html">Visio (HDGF and XDGF)</a>,
<a href="components/hmef/index.html">TNEF (HMEF)</a>,
and <a href="components/hpbf/">Publisher (HPBF)</a>.
</p>
<p>
As a general policy we collaborate as much as possible with other projects to
provide this functionality. Examples include: <a href="https://xml.apache.org/cocoon">Cocoon</a> for
which there are serializers for HSSF;
<a href="https://www.openoffice.org">Open Office.org</a> with whom we collaborate in documenting the
XLS format; and <a href="https://tika.apache.org/">Tika</a> /
<a href="https://lucene.apache.org">Lucene</a>,
for which we provide format interpretors. When practical, we donate
components directly to those projects for POI-enabling them.
</p>
<a name="Why+should+I+use+Apache+POI%3F"></a>
<h3 class="boxed">Why should I use Apache POI?</h3>
<p>
A major use of the Apache POI api is for <a href="text-extraction.html">Text Extraction</a> applications
such as web spiders, index builders, and content management systems.
</p>
<p>
So why should you use POIFS, HSSF or XSSF?
</p>
<p>
You'd use POIFS if you had a document written in OLE 2 Compound Document Format, probably written using
MFC, that you needed to read in Java. Alternatively, you'd use POIFS to write OLE 2 Compound Document Format
if you needed to inter-operate with software running on the Windows platform. We are not just bragging when
we say that POIFS is the most complete and correct implementation of this file format to date!
</p>
<p>
You'd use HSSF if you needed to read or write an Excel file using Java (XLS). You'd use
XSSF if you need to read or write an OOXML Excel file using Java (XLSX). The combined
SS interface allows you to easily read and write all kinds of Excel files (XLS and XLSX)
using Java. Additionally there is a specialized SXSSF implementation which allows to write
very large Excel (XLSX) files in a memory optimized way.
</p>
<a name="Components"></a>
<h3 class="boxed">Components</h3>
<p>
The Apache POI Project provides several component modules some of which may not be of interest to you.
Use the information on our <a href="components/">Components</a> page to determine which
jar files to include in your classpath.
</p>
</div>
<a name="Contributing"></a>
<h2 class="boxed">Contributing</h2>
<div class="section">
<p>
So you'd like to contribute to the project? Great! We need enthusiastic,
hard-working, talented folks to help us on the project, no matter your
background. So if you're motivated, ready, and have the time: Download the
source from the
<a href="devel/git.html">Git Repository</a>,
<a href="devel/index.html">build the code</a>, join the
<a href="help/index.html">mailing lists</a>, and we'll be happy to
help you get started on the project!
</p>
<p>
Please read our <a href="devel/guidelines.html">Contribution Guidelines</a>.
When your contribution is ready submit a patch to our
<a href="https://bz.apache.org/bugzilla/buglist.cgi?product=POI">Bug Database</a>.
</p>
</div>
</div>
<!--+
|end content
+-->
<div class="clearboth">&nbsp;</div>
</div>
<div id="footer">
<!--+
|start bottomstrip
+-->
<div class="lastmodified">
<script type="text/javascript"><!--
document.write("Last Published: " + document.lastModified);
// --></script>
</div>
<div class="copyright">
Copyright &copy;
2001-2026 <a href="https://www.apache.org/">The Apache Software Foundation</a>
<br>
Apache POI, POI, Apache, the Apache logo, and the Apache
POI project logo are trademarks of The Apache Software Foundation.
</div>
<div id="logos">
<a href="https://validator.w3.org/check/referer"><img style="height: 31px; width: 88px;" title="Valid HTML 4.01!" alt="Valid HTML 4.01!" src="skin/images/valid-html401.png" class="logoImage"></a><a href="https://jigsaw.w3.org/css-validator/check/referer"><img style="height: 31px; width: 88px;" title="Valid CSS!" alt="Valid CSS!" src="skin/images/vcss.png" class="logoImage"></a>
</div>
<div id="feedback">
Send feedback about the website to:
<a id="feedbackto" href="mailto:dev@poi.apache.org?subject=Feedback%C2%A0index.html">dev@poi.apache.org</a>
</div>
<!--+
|end bottomstrip
+-->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink