ppkarwasz commented on code in PR #710:
URL: https://github.com/apache/commons-compress/pull/710#discussion_r2425864651
##########
src/main/java/org/apache/commons/compress/archivers/tar/TarUtils.java:
##########
@@ -767,15 +813,24 @@ protected static Map<String, String>
parsePaxHeaders(final InputStream inputStre
final String keyword =
coll.toString(StandardCharsets.UTF_8);
// Get rest of entry
final int restLen = len - read;
+
+ // Validate entry length
+ // 1. Ignore empty keywords
if (restLen <= 1) { // only NL
headers.remove(keyword);
+ // 2. Entry length exceeds header size
} else if (headerSize >= 0 && restLen > headerSize
- totalRead) {
throw new ArchiveException("PAX header value
size %,d exceeds size of header record.", restLen);
} else {
+ // 3. Entry length exceeds configurable file
and link name limits
+ if ("path".equals(keyword) ||
"linkpath".equals(keyword)) {
+ ArchiveUtils.checkEntryNameLength(restLen
- 1, maxEntryPathLength, "TAR");
+ }
final byte[] rest =
IOUtils.readRange(inputStream, restLen);
final int got = rest.length;
if (got != restLen) {
- throw new ArchiveException("Failed to read
PAX header: Expected %,d bytes, read %,d.", restLen, got);
+ throw new EOFException(String.format(
Review Comment:
I removed the size check in 8756b7493dd812b9901dd08a0909f09b7abfc95a.
As explained above, that check was effectively unreachable. In the unlikely
event of a future programming error, `IOUtils.toByteArray` will still throw an
appropriate exception.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
