jaragunde commented on PR #1027: URL: https://github.com/apache/poi/pull/1027#issuecomment-4011567916
First of all, thank you for your thorough review. I don't think there's anything incorrect in commons-compress, other than an inherent and documented limitation of stream access, that happens "if the archive uses the data descriptor feature", which we do (`allowStoredEntriesWithDataDescriptor==true`). I found an example of a false positive due to this limitation, and I wanted to have the code use (what I thought was) a more accurate value provided by the zip central header, which would work for this false positive. But the situation I put ourselves is having to choose between stream size figures that we know are inaccurate, and header figures that may be spoofed. The lesser evil seems to be the former, spoofing a header is easier. All in all, I would rather take back my change. If we get back to this issue and manage to come up with a more robust zip bomb detection method, we would certainly contribute it! Great timing for me to update stress.xls, it's been there for years :) Thanks again! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
