[Bug 63835] New: Cap size of files within packages

bugzilla-daemon Fri, 11 Apr 2014 14:12:06 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=63835


            Bug ID: 63835
           Summary: Cap size of files within packages
           Product: MediaWiki extensions
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: MultiUpload
          Assignee: [email protected]
          Reporter: [email protected]
       Web browser: ---
   Mobile Platform: ---

It's possible for a small .zip file to expand to arbitrarily large content
files.  This opens a DOS vector in this extension's upload-and-unpack feature.

It can use unzip -l or equivalent (and tar -t or equivalent for tar files) to
find out how large the package's contents are before unpacking it, and refuse
oversize content.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 63835] New: Cap size of files within packages

Reply via email to