[
https://issues.apache.org/jira/browse/COMPRESS-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16447311#comment-16447311
]
Stefan Bodewig commented on COMPRESS-445:
-----------------------------------------
[~kiwiwings] I've extended the test cases to cover all ZIP methods as we have
handmade versions for all of them. I had to ignore the tests for STORED (the
result from {{ZipArchiveInputStream}} is wrong) and IMPLODE (the two results
agree but unzip sees a different value). I'll look into them eventually but
maybe you get there faster than me.
I'll start with the STORED case.
> Zip Bomb Detection
> ------------------
>
> Key: COMPRESS-445
> URL: https://issues.apache.org/jira/browse/COMPRESS-445
> Project: Commons Compress
> Issue Type: Improvement
> Components: Archivers
> Reporter: PJ Fanning
> Priority: Major
> Labels: zip
> Fix For: 1.17
>
> Attachments: InputStreamStatistics.patch.gz
>
>
> It would be a nice feature if ZipFile had support for detecting Zip Bombs.
> Apache Poi has an implementation based on the java util ZipFile but this
> relies on Reflection and changes in Java 10 mean this code will not work in
> that version.
> [https://github.com/apache/poi/blob/trunk/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java]
> One option would be to add equivalent change support in commons-compress and
> for Poi to use the commons version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
