dotnet
New DOCX document is created with Override node rather than Default node in [Content_Types].xml
Description
When creating a blank DOCX document with Open XML SDK. 'Default' nodes were created rather than 'Override' node in [Content_Types].xml, which would fail security checks when streaming the document
Information
- .NET Target: .NET Framework 4.6
- DocumentFormat.OpenXml Version: 2.13.0
Repro
using (WordprocessingDocument wordDocument =
WordprocessingDocument.Create(filepath, WordprocessingDocumentType.Document))
{
// Add a main document part.
MainDocumentPart mainPart = wordDocument.AddMainDocumentPart();
// Create the document structure and add some text.
mainPart.Document = new Document();
Body body = mainPart.Document.AppendChild(new Body());
Paragraph para = body.AppendChild(new Paragraph());
Run run = para.AppendChild(new Run());
run.AppendChild(new Text("Create text in body - CreateWordprocessingDocument"));
}
Observed
'Default' nodes were created rather than 'Override' node in [Content_Types].xml, which would fail security checks when streaming the document.
According to https://social.msdn.microsoft.com/Forums/en-US/1849f943-598f-43d1-bef5-99aad5d18b0c/override-vs-default?forum=oxmlsdk: If the package is intended for streaming consumption: · The package implementer should not allow Default elements; as a consequence, there should be one Override element for each part in the package. · The format producer should write the Override elements to the package so they appear before the parts to which they correspond, or in close proximity to the part to which they correspond.
Also, if I opened the document in Word and re-saved it, the 'Override' node will be created automatically by MS Office, so MS Office also seems to use the 'Override' node as the preferred option.
This also caused issues when streaming/uploading the document, some security checks will scan if the document has the 'Override' node defined and mapped properly so that it can be determined as a safe and valid DOCX file.
Expected
'Override' node should be created when a new document is created with Open XML SDK, with each xml part of the package be explicitly mapped to the node.
Hi @qqytqqyt , I tested this in the latest version of Word and it also adds the Default elements. How are you saving the file that it does not create the Default elements in [Content_Types].xml ?
Hi @mikeebowen
Thanks for checking.
The issue is not about the presence of "default" element, it's that the "Default" element in Open XML SDK created package points all non-overridden .xml file as 'application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml' (main part of the document) type.
Below is a comparison of the [content_types].xml created in Word vs Open XML SDK:
In Word created xml, only "word/document.xml" file is considered as "application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml", and all other xml by default is only considered a regular 'application/xml' file. This makes sure that no malicious XML file in the package is recognized as the main part of the document.
However in Open XML SDK, all ".xml" files that are not overridden may potentially be considered as "application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml", which is not compliant with the security requirement.
OK, I'll investigate this more. It might mean a breaking change which would have to wait for the next major version