ppkarwasz commented on PR #777: URL: https://github.com/apache/commons-compress/pull/777#issuecomment-4863262678
> @ppkarwasz, given that, do you still want the mean-ratio guard and an on-by-default limit? I guess, we can deliver a mean-ratio guard in a separate wrapper: only a limited number of users need it. Basically only if the compressed stream comes primarily from untrusted sources (like in a server), users might want to add a mean-ratio check as a *fail-fast* mechanism to prevent a DoS. However, I think it would be nice if every `CompressorInputStream` inherited from `BoundedInputStream`: for archive formats that contain compressed data (ZIP, 7z), we usually have a (_declared_) decompressed size, so we could set that size as limit and prevent corrupted archives to fill the disk. Malicious archives, of course, would need the user to set a hard maximum decompressed size. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
