Thank you, all, for the release of 3.13-beta1. I'm in the process of
integrating that with Tika. We're now getting a zip bomb exception with :
http://svn.apache.org/viewvc/tika/trunk/tika-parsers/src/test/resources/test-documents/testWORD_embedded_pdf.docx
How low is reasonable to set the minInflateRatio? 0.000001d (pulled out of a
hat)? I think that POI's .01 = Tika's 100...however, it looks like we're
calculating when to throw the zip bomb exception slightly differently.
It looks like in Tika's SecureContentHandler, we're requiring that the stream
go beyond the threshold _and_ the ratio be above the ratio threshold:
if (characterCount > threshold
&& characterCount > byteCount * ratio) {
throw new SecureSAXException(
However, in POI, it looks like those two checks are effectively _or'd_:
if (counter < MAX_ENTRY_SIZE) {
if (cis == null) return;
double ratio = (double)cis.counter/(double)counter;
if (ratio > MIN_INFLATE_RATIO) return;
}
throw new IOException("Zip bomb detected! Exiting.");
Thank you.
Best,
Tim
