[
https://issues.apache.org/jira/browse/COMPRESS-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16440617#comment-16440617
]
Stefan Bodewig commented on COMPRESS-445:
-----------------------------------------
I've just had a cursory look and it looks good overall, of course I've got some
nits :). I'll do a more thorough review next weekend.
We don't like *-imports and I think the ZipArchiveInputStream case may be
missing the stored entry case (here I may be wrong as I only looked at the diff
not the patched class).
Unfortunately we don't know how to create zips containing bzip2 entries either
(which isn't strictly true, to be honest, we just haven't coded this up, yet)
and I don't think we'll ever add support for writing the really old compression
methods (implode and shrink).
> Zip Bomb Detection
> ------------------
>
> Key: COMPRESS-445
> URL: https://issues.apache.org/jira/browse/COMPRESS-445
> Project: Commons Compress
> Issue Type: Improvement
> Components: Archivers
> Reporter: PJ Fanning
> Priority: Major
> Fix For: 1.17
>
> Attachments: InputStreamStatistics.patch.gz
>
>
> It would be a nice feature if ZipFile had support for detecting Zip Bombs.
> Apache Poi has an implementation based on the java util ZipFile but this
> relies on Reflection and changes in Java 10 mean this code will not work in
> that version.
> [https://github.com/apache/poi/blob/trunk/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java]
> One option would be to add equivalent change support in commons-compress and
> for Poi to use the commons version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
