Perhaps turn off POI's protection entirely (because we're already doing it)?
ZipSecureFile.setMinInflateRatio(-1.0d); -----Original Message----- From: Allison, Timothy B. [mailto:[email protected]] Sent: Wednesday, July 22, 2015 8:39 PM To: POI Users List ([email protected]) <[email protected]> Subject: reasonable threshold for ZipSecureFile? Thank you, all, for the release of 3.13-beta1. I'm in the process of integrating that with Tika. We're now getting a zip bomb exception with : http://svn.apache.org/viewvc/tika/trunk/tika-parsers/src/test/resources/test-documents/testWORD_embedded_pdf.docx How low is reasonable to set the minInflateRatio? 0.000001d (pulled out of a hat)? I think that POI's .01 = Tika's 100...however, it looks like we're calculating when to throw the zip bomb exception slightly differently. It looks like in Tika's SecureContentHandler, we're requiring that the stream go beyond the threshold _and_ the ratio be above the ratio threshold: if (characterCount > threshold && characterCount > byteCount * ratio) { throw new SecureSAXException( However, in POI, it looks like those two checks are effectively _or'd_: if (counter < MAX_ENTRY_SIZE) { if (cis == null) return; double ratio = (double)cis.counter/(double)counter; if (ratio > MIN_INFLATE_RATIO) return; } throw new IOException("Zip bomb detected! Exiting."); Thank you. Best, Tim --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
