commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benedikt Tröster <>
Subject Re: [compress] Security considerations (bomb, links, absolute paths)
Date Thu, 18 May 2017 17:14:55 GMT
Hi Stefan,

thanks a lot for your detailed answer! That explained most of my concerns.
However here are some things I have questions about:

Am 18.05.17 um 18:17 schrieb Stefan Bodewig:
> Compress will give you the path as it is contained inside the
> archive but if an aplication blindly accepts an absolute path, it is the
> applications fault.
How would one receive the path from the archive? Would getName() contain
a full path (if given in the archive) such as "/etc/passwd"? or will it
always contain the file name "passwd"?

When protecting against ZIP bombs I guess you would do a size check
before unpacking via getSize(), right? You said this is not available
for every file type, is there documentation for which archive type it is
not available?

If a ZIP file contains a ZIP file itself, this will not automatically be
"resolved" by the library, right? As a dev you'd have start a new
decompression process on the ArchiveEntry containing the second level
archive, right?

Is it possible to determine if an Entry is actually a Symlink?

Thanks so much for your help!


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message