https://bz.apache.org/bugzilla/show_bug.cgi?id=69867
Bug ID: 69867
Summary: False positive in zip bomb detection
Product: POI
Version: 5.4.2-FINAL
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: OPC
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
There is code in POI to detect zip bombs, files that become huge when
decompressed and can be used as an attack vector.
In ZipArchiveThresholdInputStream we check the compress ratio of every entry
before reading it, and we compare it with ZipSecureFile.MIN_INFLATE_RATIO,
which by default is 0.01. When the calculated ratio is lower than the
threshold, we throw an IOException.
The attached file produces an error, these are the reported ratios in the error
message:
Uncompressed size: 106496, Raw/compressed size: 356, ratio: 0.003343
Limits: MIN_INFLATE_RATIO: 0.010000, Entry: word/media/image1.emf
But when I manually check the compress ratio of that entry, I obtained: 1.27MB
(compressed) / 4.25MB (uncompressed) = 0.299. This ratio is above the 0.01
limit, so the exception shouldn't have happened.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
