Hi Greg, > [...] > I am wondering why, for those who HAVE to auto unpack, a > script cannot be written which, upon receipt of an > archive of any sort, inspects it for, as an example, > 100K of the same character repeated (keeping in mind > that the NULL character, chr$(7) etc have all been used > for compressed bombs) and if there *IS* such a file, > move the file to some safe location for later manual > inspection and if not, allow automatic unpacking etc. > [...]
A safe detection of a such bombs by inspecting the stream of uncompressed data seems impractical, since repeating patterns may consist of more than one byte. A better criterion may be the ratio of the size of currently uncompressed data and the total archive size. This number should not exceed a reasonable value. -- Regards, Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
