Open-XML-SDK icon indicating copy to clipboard operation
Open-XML-SDK copied to clipboard

Published 20 hours ago verified publisher icon dotnet

New DOCX document is created with Override node rather than Default node in [Content_Types].xml

Open qqytqqyt opened this issue 4 years ago • 3 comments

Description

When creating a blank DOCX document with Open XML SDK. 'Default' nodes were created rather than 'Override' node in [Content_Types].xml, which would fail security checks when streaming the document

Information

  • .NET Target: .NET Framework 4.6
  • DocumentFormat.OpenXml Version: 2.13.0

Repro

using (WordprocessingDocument wordDocument =
                WordprocessingDocument.Create(filepath, WordprocessingDocumentType.Document))
            {
                // Add a main document part. 
                MainDocumentPart mainPart = wordDocument.AddMainDocumentPart();

                // Create the document structure and add some text.
                mainPart.Document = new Document();
                Body body = mainPart.Document.AppendChild(new Body());
                Paragraph para = body.AppendChild(new Paragraph());
                Run run = para.AppendChild(new Run());
                run.AppendChild(new Text("Create text in body - CreateWordprocessingDocument"));
            }

Observed

'Default' nodes were created rather than 'Override' node in [Content_Types].xml, which would fail security checks when streaming the document.

According to https://social.msdn.microsoft.com/Forums/en-US/1849f943-598f-43d1-bef5-99aad5d18b0c/override-vs-default?forum=oxmlsdk: If the package is intended for streaming consumption: · The package implementer should not allow Default elements; as a consequence, there should be one Override element for each part in the package. · The format producer should write the Override elements to the package so they appear before the parts to which they correspond, or in close proximity to the part to which they correspond.

Also, if I opened the document in Word and re-saved it, the 'Override' node will be created automatically by MS Office, so MS Office also seems to use the 'Override' node as the preferred option.

This also caused issues when streaming/uploading the document, some security checks will scan if the document has the 'Override' node defined and mapped properly so that it can be determined as a safe and valid DOCX file.

Expected

'Override' node should be created when a new document is created with Open XML SDK, with each xml part of the package be explicitly mapped to the node.

qqytqqyt avatar Jul 21 '21 10:07 qqytqqyt