ppkarwasz commented on code in PR #710:
URL: https://github.com/apache/commons-compress/pull/710#discussion_r2380039267
##########
src/main/java/org/apache/commons/compress/archivers/tar/TarUtils.java:
##########
@@ -767,15 +813,24 @@ protected static Map<String, String>
parsePaxHeaders(final InputStream inputStre
final String keyword =
coll.toString(StandardCharsets.UTF_8);
// Get rest of entry
final int restLen = len - read;
+
+ // Validate entry length
+ // 1. Ignore empty keywords
if (restLen <= 1) { // only NL
headers.remove(keyword);
+ // 2. Entry length exceeds header size
} else if (headerSize >= 0 && restLen > headerSize
- totalRead) {
throw new ArchiveException("PAX header value
size %,d exceeds size of header record.", restLen);
} else {
+ // 3. Entry length exceeds configurable file
and link name limits
+ if ("path".equals(keyword) ||
"linkpath".equals(keyword)) {
Review Comment:
Nice point! Fixed in
https://github.com/apache/commons-compress/pull/710/commits/7a3d21cbf94d012f769cf1cab7ac4cd629e51685
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
