commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruno P. Kinoshita" <brunodepau...@yahoo.com.br.INVALID>
Subject Re: [compress] Security considerations (bomb, links, absolute paths)
Date Fri, 19 May 2017 03:42:01 GMT
Some time ago while working with mapserver, I did a quick wrap in C++ to use afl fuzzifier
and found some interesting things, but no critical issues. I wonder if it would be possible
to fuzzify a Java library too like compress, or even if that would make sense.

I've added it to my rainy-day-TODO-list anyway :-) in the same way we have JMH tests for performance,
maybe we could have a profile that activates fuzzification... I guess?

Cheers
Bruno



________________________________
From: Benedikt Tröster <btroester@ernw.de>
To: user@commons.apache.org 
Sent: Friday, 19 May 2017 3:18 AM
Subject: [compress] Security considerations (bomb, links, absolute paths)



Hello everyone!


I'm currently reviewing some code where the commons compress library has

been used. As far as I can tell there haven't been many security

vulnerabilities with this lib. I wonder however, how one would ensure

protection against ZIP-Bombs, extraction of links and absolute paths

(e.g. 7zip)?

I can't find any documentation on this.


You Input is very much appreciated! :)


Best,

Benedikt


---------------------------------------------------------------------

To unsubscribe, e-mail: user-unsubscribe@commons.apache.org

For additional commands, e-mail: user-help@commons.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message