Hi, Apache POI is opening zip-files on a regular basis because Microsoft Excel/Word/... files are zip-files in their newer format. In order to prevent some types of denial-of-service-attacks, we have added functionality when opening Zip-files to not read files which expand a lot and thus could be used to overwhelm the main memory by providing small malicious file which explodes when uncompressed into memory. We call this zip-bomb protection.
Up to Java 9 we could use some workaround via reflection to inject a counting-InputStream into ZipFile/ZipEntry to detect an explosion in expanded data and this way prevent zip-bombs. However in Java 10 this is not possible any more because the implementation of ZipFile was changed in a way that prevents this (hard cast to ZipFile$ZipFileInputStream in ZipFile). So we are looking for a different way to count the number of extracted bytes while extracting to be able to stop as soon as the compression ratio reaches a certain limit. Could we do this with Commons Compress? I.e. wrap the InputStreams with some counting so that we can stop during extracting. Or does anybody know of a way to do zip-bomb-detection differently without resorting to reflection? Thanks... Dominik. Apache POI PMC/Comitter --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
