ppkarwasz commented on PR #777:
URL: https://github.com/apache/commons-compress/pull/777#issuecomment-4863262678

   > @ppkarwasz, given that, do you still want the mean-ratio guard and an 
on-by-default limit?
   
   I guess, we can deliver a mean-ratio guard in a separate wrapper: only a 
limited number of users need it. Basically only if the compressed stream comes 
primarily from untrusted sources (like in a server), users might want to add a 
mean-ratio check as a *fail-fast* mechanism to prevent a DoS.
   
   However, I think it would be nice if every `CompressorInputStream` inherited 
from `BoundedInputStream`: for archive formats that contain compressed data 
(ZIP, 7z), we usually have a (_declared_) decompressed size, so we could set 
that size as limit and prevent corrupted archives to fill the disk. Malicious 
archives, of course, would need the user to set a hard maximum decompressed 
size.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to