On Mon 21 Feb 2011 16:57 +0100, Lukas Fleischer wrote: > On Mon, Feb 21, 2011 at 10:51:01AM -0500, Loui Chang wrote: > > On Mon 21 Feb 2011 16:35 +0100, Lukas Fleischer wrote: > > > On Mon, Feb 21, 2011 at 03:46:47PM +0100, Dieter Plaetinck wrote: > > > > hmmm. some good points. > > > > I guess I could try the suggested approach and see how I like it. > > > > However, now that you bring up the "zip bombs", do you think it's > > > > feasible to scan for them serverside without compromising security > > > > and/or making things needlessly complicated? it would be useful for > > > > clients if that one aspect could be filtered out in advance. > > > > > > I don't think this is possible without decompressing the tarball which > > > is again vulnerable to (D)DoS. > > > > It might be possible. There are xz -l and gunzip -l functions to preview > > the uncompressed size of archives without decompression. > > Hm, that doesn't sound too bad. We'd need to integrate this with > Archive::Tar tho... It might be best to open a feature request on the > AUR bug tracker at this point.
Voila! https://bugs.archlinux.org/task/22991?project=2
