commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Bodewig (JIRA)" <>
Subject [jira] [Commented] (COMPRESS-445) Zip Bomb Detection
Date Tue, 17 Apr 2018 08:53:00 GMT


Stefan Bodewig commented on COMPRESS-445:

I've just had a cursory look and it looks good overall, of course I've got some nits :). I'll
do a more thorough review next weekend.

We don't like *-imports and I think the ZipArchiveInputStream case may be missing the stored
entry case (here I may be wrong as I only looked at the diff not the patched class).

Unfortunately we don't know how to create zips containing bzip2 entries either (which isn't
strictly true, to be honest, we just haven't coded this up, yet) and I don't think we'll ever
add support for writing the really old compression methods (implode and shrink).

> Zip Bomb Detection
> ------------------
>                 Key: COMPRESS-445
>                 URL:
>             Project: Commons Compress
>          Issue Type: Improvement
>          Components: Archivers
>            Reporter: PJ Fanning
>            Priority: Major
>             Fix For: 1.17
>         Attachments: InputStreamStatistics.patch.gz
> It would be a nice feature if ZipFile had support for detecting Zip Bombs.
> Apache Poi has an implementation based on the java util ZipFile but this relies on Reflection
and changes in Java 10 mean this code will not work in that version.
> []
> One option would be to add equivalent change support in commons-compress and for Poi
to use the commons version.

This message was sent by Atlassian JIRA

View raw message