[
https://issues.apache.org/jira/browse/COMPRESS-707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18014586#comment-18014586
]
Gary D. Gregory commented on COMPRESS-707:
------------------------------------------
[~rdvdijk]
Why should the code ignore a checksum?
How would you expect to detect corrupt or malicious files?
> TAR: TarUtils.verifyCheckSum throws an Exception when checksum could not be
> parsed
> ----------------------------------------------------------------------------------
>
> Key: COMPRESS-707
> URL: https://issues.apache.org/jira/browse/COMPRESS-707
> Project: Commons Compress
> Issue Type: Bug
> Components: Archivers
> Affects Versions: 1.27.1, 1.28.0
> Reporter: Roel van Dijk
> Priority: Major
>
> When parsing a TAR entry, the checksum is read from the header and verified.
>
> {code:java}
> final long storedSum = parseOctal(header, TarConstants.CHKSUM_OFFSET,
> TarConstants.CHKSUMLEN);
> {code}
> When the checksum itself is invalid (e.g. the octal number could not be
> parsed), an exception is thrown by the method TarUtils.parseOctal :
> {code:java}
> java.lang.IllegalArgumentException: Invalid byte 0 at offset 4 in
> '4712{NUL}36{NUL}' len=8 {code}
> This exception is non-descriptive, and in our opinion TarUtils.verifyCheckSum
> should just return false when the checksum could not be parsed.
> We will open a pull request on GitHub to address this. We will include an
> altered version of the bla.tar test file to cover this edge case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
