On Mon, Feb 21, 2011 at 06:16:08PM -0500, Loui Chang wrote: > On Tue 22 Feb 2011 00:51 +0200, Ionuț Bîru wrote: > > On 02/22/2011 12:35 AM, Isaac Dupree wrote: > > >On 02/21/11 10:54, Lukas Fleischer wrote: > > >>Yes, like having two 1GB large files `tar -czf`'ed and uploading the > > >>resulting tarball to the AUR. I don't think that can be detected without > > >>being vulnerable to DoS attacks. > > > > > >What if the PKGBUILD itself is a 1GB file? For example a normal looking > > >PKGBUILD followed by a billion newlines. That probably compresses pretty > > >well. > > > > > >(/foolishly responding without reading code) > > > > > >-Isaac > > > > actually if i remember well somebody did that in the past. > > Yeah we really need to figure out a reliable way to reject these > zip-bombs.
Work in progress [1] :p [1] https://bugs.archlinux.org/task/22991
