[
https://issues.apache.org/jira/browse/COMPRESS-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16447277#comment-16447277
]
Stefan Bodewig commented on COMPRESS-445:
-----------------------------------------
Your patch is in together with some cosmetic changes.
https://github.com/apache/commons-compress/commit/0646aa7d4d0ece484e26e8ab262265cc9263c350
should make sure we get the correct compressed count for all methods
supported, but a second pair of eyes is very much appreciated.
> Zip Bomb Detection
> ------------------
>
> Key: COMPRESS-445
> URL: https://issues.apache.org/jira/browse/COMPRESS-445
> Project: Commons Compress
> Issue Type: Improvement
> Components: Archivers
> Reporter: PJ Fanning
> Priority: Major
> Labels: zip
> Fix For: 1.17
>
> Attachments: InputStreamStatistics.patch.gz
>
>
> It would be a nice feature if ZipFile had support for detecting Zip Bombs.
> Apache Poi has an implementation based on the java util ZipFile but this
> relies on Reflection and changes in Java 10 mean this code will not work in
> that version.
> [https://github.com/apache/poi/blob/trunk/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java]
> One option would be to add equivalent change support in commons-compress and
> for Poi to use the commons version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
