https://bz.apache.org/bugzilla/show_bug.cgi?id=66840
cnj_0304 <cnj_0...@qq.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|1 |0 Status|RESOLVED |UNCONFIRMED Resolution|INFORMATIONPROVIDED |--- --- Comment #7 from cnj_0304 <cnj_0...@qq.com> --- (In reply to PJ Fanning from comment #1) > We know about this and there isn't much we can do. Anyone who parses > xlsx/docx/pptx/etc. files will need to be aware that the data is compressed > and that the resulting decompressed data can be huge. > > We do check for zip bombs - ie data that has a very high ratio when > decompressing. > > See the setMinInflateRatio documentation in > https://poi.apache.org/components/configuration.html However, I found that if the payload size is less than 100 KB, the logic of comparing compression ratios cannot be executed. I think this code has a bug. The interfaces you mentioned above lose the meaning of user customization. For example: org.apache.poi.openxml4j.util.ZipSecureFile.setMinInflateRatio(double ratio) org.apache.poi.openxml4j.util.ZipSecureFile.setMaxEntrySize(long maxEntrySize) Problem Code: checkThreshold(): // check the file size first, in case we are working on uncompressed streams if(payloadSize > MAX_ENTRY_SIZE) { throw new IOException(String.format(Locale.ROOT, MAX_ENTRY_SIZE_MSG, payloadSize, rawSize, MAX_ENTRY_SIZE, entryName)); } // don't alert for small expanded size if (payloadSize <= GRACE_ENTRY_SIZE) { return; // here is return } double ratio = rawSize / (double)payloadSize; if (ratio >= MIN_INFLATE_RATIO) { return; } -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org