Just a short update on this - I've provided a patch for POI to use commons compress [1] So now we can focus on how the zip bomb handling can be provided by commons compress, i.e. as you already have mentioned with "InputStream will be a FooInputStream", some kind of interface which the InputStream can be cast to, to request further compression ratio stats, is what I have in mind.
I think this pull mechanism is easier from user perspective than registering a progress handler or getting the meta data pushed by a callback. Andi. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=62187
signature.asc
Description: OpenPGP digital signature