poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 62201] Zip Bomb ratio: Fail fast and/or round the ratio before comparison
Date Wed, 21 Mar 2018 06:16:32 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=62201

--- Comment #2 from Dominik Stadler <dominik.stadler@gmx.at> ---
1. This would cause performance issues as we would need to read and parse every
embedded item, for some files this could be substantial. Probably best if you
use a small wrapper function where you do this if it is useful for you.

2. We continually compute the compression ratio while uncompressing the stream
and stop as soon as the ratio goes beyond the limit. So you always will see a
number close to the limit here. We do not read the whole stream and thus do not
compute the actual ratio of the whole file before failing as it is the whole
point of this to not read malicious files completely.

We can try to improve the error message to make this a bit clearer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message