https://issues.apache.org/bugzilla/show_bug.cgi?id=50090
Summary: 'zip' bomb prevention
Product: POI
Version: 3.7-dev
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: POI Overall
AssignedTo: [email protected]
ReportedBy: [email protected]
POI uses InflaterInputStream in multiple places for decompression of images
etc. The InflaterInputStream is used without any limit on the number of bytes
written after deflating. This makes POI vulnerable to a 'zip' bomb which is a
very large file (possible multiple GBs) with only zero bytes. Because the file
only contains zero's the compressed file is very small.
To protect against a 'zip' bomb, the output from the InflaterInputStream should
be wrapped in a stream that only accepts a certain amount of bytes.
My suggestion would be to allow POI users to register a global output buffer
factory (or something like that) that allows the POI user to modify how a
buffer is used globally. A POI user can then decide whether the buffer should
stream to disk and or set a limit on the number of bytes accepted.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
