On Mon 21 Feb 2011 16:35 +0100, Lukas Fleischer wrote: > On Mon, Feb 21, 2011 at 03:46:47PM +0100, Dieter Plaetinck wrote: > > On Mon, 21 Feb 2011 14:50:39 +0100 > > Lukas Fleischer <archli...@cryptocrack.de> wrote: > > > > > > > The only issue that might affect the end users as well is "ZIP bombs". > > > Most users will probably notice such a thing before it is entirely > > > extracted, just interrupt tar(1)/gzip(1) and send a removal request to > > > aur-general, however. > > > > hmmm. some good points. > > I guess I could try the suggested approach and see how I like it. > > However, now that you bring up the "zip bombs", do you think it's > > feasible to scan for them serverside without compromising security > > and/or making things needlessly complicated? it would be useful for > > clients if that one aspect could be filtered out in advance. > > I don't think this is possible without decompressing the tarball which > is again vulnerable to (D)DoS.
It might be possible. There are xz -l and gunzip -l functions to preview the uncompressed size of archives without decompression.