https://bz.apache.org/bugzilla/show_bug.cgi?id=66840
cnj_0304 <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #10 from cnj_0304 <[email protected]> --- Created attachment 38722 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38722&action=edit example bomb This compressed package contains four parts: 1. Bomb. zip: Verify the test case of OOM, with 4000 files, a total size of 390M, and a compressed file size of 950K; 2. Idea_ VM_ Config. png: Idea configures the memory size of the VM, with only 300M configured for simulating services with limited memory; 3. Test. java: Test the code and validate the service. With limited memory, a large number of compressed files smaller than 100KB cannot protect against zip bombs by simply limiting the compression ratio; 4. Example_ OOM. png: Validation result, OOM in IOUtils. byteArray; Our service limits the size of uploaded compressed packets to 2M, the service memory size to 500M, and the compression ratio is ZipSecureFile.MIN_ INFLATE_ When RATIO=0.01 takes effect, the service can be processed normally. But in reality, it cannot protect against the scenario of the above test case. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
