Some time ago while working with mapserver, I did a quick wrap in C++ to use afl fuzzifier and found some interesting things, but no critical issues. I wonder if it would be possible to fuzzify a Java library too like compress, or even if that would make sense.
I've added it to my rainy-day-TODO-list anyway :-) in the same way we have JMH tests for performance, maybe we could have a profile that activates fuzzification... I guess? Cheers Bruno ________________________________ From: Benedikt Tröster <btroes...@ernw.de> To: user@commons.apache.org Sent: Friday, 19 May 2017 3:18 AM Subject: [compress] Security considerations (bomb, links, absolute paths) Hello everyone! I'm currently reviewing some code where the commons compress library has been used. As far as I can tell there haven't been many security vulnerabilities with this lib. I wonder however, how one would ensure protection against ZIP-Bombs, extraction of links and absolute paths (e.g. 7zip)? I can't find any documentation on this. You Input is very much appreciated! :) Best, Benedikt --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
