commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Bodewig (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (COMPRESS-445) Zip Bomb Detection
Date Sun, 29 Apr 2018 10:15:00 GMT

    [ https://issues.apache.org/jira/browse/COMPRESS-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16457970#comment-16457970
] 

Stefan Bodewig edited comment on COMPRESS-445 at 4/29/18 10:14 AM:
-------------------------------------------------------------------

By now almost all {{CompressorInputStream}} s are covered (pack200 is not, but that's special
anyway, {{getBytesRead}} isn't implemented either). I'll have a second look at {{SevenZipFile}}
but its API is quite different from the other things we do.


was (Author: bodewig):
By now almost all {{CompressorInputStream}}s are covered (pack200 is not, but that's special
anyway, {{getBytesRead}} isn't implemented either). I'll have a second look at {{SevenZipFile}}
but its API is quite different from the other things we do.

> Zip Bomb Detection
> ------------------
>
>                 Key: COMPRESS-445
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-445
>             Project: Commons Compress
>          Issue Type: Improvement
>          Components: Archivers
>            Reporter: PJ Fanning
>            Priority: Major
>              Labels: zip
>             Fix For: 1.17
>
>         Attachments: InputStreamStatistics.patch.gz
>
>
> It would be a nice feature if ZipFile had support for detecting Zip Bombs.
> Apache Poi has an implementation based on the java util ZipFile but this relies on Reflection
and changes in Java 10 mean this code will not work in that version.
> [https://github.com/apache/poi/blob/trunk/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java]
> One option would be to add equivalent change support in commons-compress and for Poi
to use the commons version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message