Doh...one more question. Just to confirm absolutely, ZipSecureFile is only used on ooxml files, right? I don't have to do the static set on our doc/xls/ppt wrapper just the docx/xlsx/pptx wrapper?
Thank you, again. -----Original Message----- From: Allison, Timothy B. [mailto:[email protected]] Sent: Thursday, July 23, 2015 12:49 PM To: POI Users List <[email protected]> Subject: RE: reasonable threshold for ZipSecureFile? Thank you! -----Original Message----- From: Andreas Beeker [mailto:[email protected]] Sent: Thursday, July 23, 2015 12:11 PM To: POI Users List <[email protected]> Subject: Re: reasonable threshold for ZipSecureFile? Hi Tim, > ZipSecureFile.setMinInflateRatio(-1.0d); Yes, this would turn it off. > I think that POI's .01 = Tika's 100...however, it looks like we're > calculating when to throw the zip bomb exception slightly differently. I guess it's better to OR them than to AND the conditions, as a attacker simply can use random chars to get a worse ratio. Of course this would also mean, that the zip file size would be much bigger than with repeating sequences. If you process a input stream, i.e. you don't know the file size beforehand, that would make a difference between OR/AND. Looking at the junit test for SecureContentHandler I suspect there's still a Div0 error in the current poi implementation ... I will have to test it ... And yes ... that .01 was taken over from Tikas 100 ;) Best wishes, Andi --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
