Hi Tim, > ZipSecureFile.setMinInflateRatio(-1.0d); Yes, this would turn it off.
> I think that POI's .01 = Tika's 100...however, it looks like we're > calculating when to throw the zip bomb exception slightly differently. I guess it's better to OR them than to AND the conditions, as a attacker simply can use random chars to get a worse ratio. Of course this would also mean, that the zip file size would be much bigger than with repeating sequences. If you process a input stream, i.e. you don't know the file size beforehand, that would make a difference between OR/AND. Looking at the junit test for SecureContentHandler I suspect there's still a Div0 error in the current poi implementation ... I will have to test it ... And yes ... that .01 was taken over from Tikas 100 ;) Best wishes, Andi --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
