Cfspreadsheet extension 3.0.5 released and version 3.0.4 removed

hacking extensions
1

This extension is not maintained and has only be provided as a stop gap measure to allow upgrading, see notes section below.

TL;DR: cfspreadsheet 3.0.4 has been removed from the extension provider — it breaks Lucee 6.2 servers on restart (Felix cache corruption, potentially wiping server config) and is completely non-functional on Lucee 7. Version 3.0.5 fixes both issues. If you’re on 6.2 and already hit the crash, see the workaround below.

What happened with 3.0.4?

cfspreadsheet 3.0.4 was released to add Lucee 7 compatibility by bundling org.apache.commons.lang-2.6.jar (a dependency of the bundled POI 3.15 library). Unfortunately this triggered two separate bugs:

On Lucee 6.2: The Lucee core function OSGiUtil.improveFileName() renames any bundle jar whose filename doesn’t match the normalised OSGi version. Since commons-lang has Bundle-Version: 2.6 (which OSGi normalises to 2.6.0), the file gets renamed from 2.6.jar to 2.6.0.jar on disk — but Felix’s bundle cache still references the old filename. On the next restart, Felix tries to install the jar at the new path and finds a duplicate registration, crashing with:


BundleException: Bundle symbolic name and version are not unique: org.apache.commons.lang:2.6.0

In some environments, the error recovery code in the Lucee loader aggressively deletes the Felix cache directory, which can wipe the entire lucee-server/context configuration. See LDEV-6145 and LDEV-6144.

On Lucee 7.0/7.1: The extension still shipped a .lar archive containing pre-compiled Lucee bytecode from 2016. This bytecode references javax.servlet.jsp.tagext.Tag which doesn’t exist in Lucee 7’s Jakarta EE environment — every spreadsheet function fails immediately.

What’s fixed in 3.0.5?

  1. commons-lang embedded inside the OSGi bundle jarcommons-lang-2.6.jar is now on the Bundle-ClassPath inside cfspreadsheet_3.0.5.jar and removed from Import-Package. No external commons-lang jar is deployed, so improveFileName() is never triggered. The Felix cache corruption cannot occur.

  2. Source CFML replaces compiled bytecode — the old .lar archive (with 2016 bytecode) has been replaced with a components/ directory containing the source Spreadsheet.cfc. Lucee compiles it at runtime, so it works on both 6.2 and 7.x.

Tested across Lucee 6.2.5.48, 7.0.2.106, and 7.1.0.61-SNAPSHOT — including restart survival on 6.2.

If you’ve already been hit (Lucee 6.2)

If your server is crashing after installing 3.0.4:

  1. Stop Lucee

  2. Delete org.apache.commons.lang-2.6.0.jar from {lucee-server}/bundles/

  3. Delete the Felix cache directory ({lucee-server}/context/felix-cache)

  4. Drop cfspreadsheet-3.0.3.lex into {lucee-server}/deploy/ (to downgrade until 3.0.5 is available from the provider)

  5. Start Lucee

Then upgrade to 3.0.5 once it’s available via the admin.

A note on this extension

cfspreadsheet is currently unmaintained. It bundles Apache POI 3.15 from 2016, which has known CVEs and exports JDK packages (javax.xml.*, org.w3c.*) from its OSGi bundle — something that may cause issues in future Lucee versions.

For new projects, we recommend spreadsheet-cfml by CFSimplicity, which uses a current version of POI and is actively maintained. It provides a function-based API for spreadsheet operations.

cfspreadsheet 3.0.5 is provided as a stop-gap for existing applications that depend on the <cfspreadsheet> tag or the Spreadsheet*() built-in functions, particularly for those upgrading from Lucee 5/6 to Lucee 7.

Ideally a future version would wrap spreadsheet-cfml as the underlying engine while keeping the <cfspreadsheet> tag and Spreadsheet*() function interfaces — but that needs someone to step up as a maintainer. If you’re interested, reach out here on forum

Related

1 Like