[
https://issues.apache.org/jira/browse/COMPRESS-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16438479#comment-16438479
]
Andreas Beeker commented on COMPRESS-445:
-----------------------------------------
I've attached a potential fix which allows to retrieve decompression stats
while reading the stream. I'm not sure if commons compress is the right place
to provide zip bomb prevention, but with that interface user code can easily
handle it.
While adding the interface, I didn't like the duplicated code in ZipFile and
ZipArchiveInputStream. Originally I thought, I could add the interface methods
in a common base class, but this probably would need a refactoring.
The test doesn't cover all zip related compression methods. I thought about
creating a file on the fly, but I don't know how to add e.g. a bzip stream to a
zip archive.
> Zip Bomb Detection
> ------------------
>
> Key: COMPRESS-445
> URL: https://issues.apache.org/jira/browse/COMPRESS-445
> Project: Commons Compress
> Issue Type: Improvement
> Components: Archivers
> Reporter: PJ Fanning
> Priority: Major
> Attachments: InputStreamStatistics.patch.gz
>
>
> It would be a nice feature if ZipFile had support for detecting Zip Bombs.
> Apache Poi has an implementation based on the java util ZipFile but this
> relies on Reflection and changes in Java 10 mean this code will not work in
> that version.
> [https://github.com/apache/poi/blob/trunk/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java]
> One option would be to add equivalent change support in commons-compress and
> for Poi to use the commons version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
