>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> I am surprised to see the security considerations refer to VD> multi-file gzip inputs, and processing of the filename VD> metadata inside the gzip stream. I've never seen anyone VD> do that. In practice 'gzip' archives are assumed to VD> contain just one "file", and the name from the gzip VD> metadata is ignored, instead the user specified where VD> to write the output. That did also surprise me, but the rfc makes it clear that it is permitted and thus one must assume that bad actors would try that as an attack. Since the update came from a media-type expert, it is probably something he thinks all GZIP uncomressors should keep in mind. VD> I rather think it makes more sense here to specify that VD> the "+gzip" MIME sub-type always holds exactly one VD> compressed object, and that the filename hint in VD> the compressed stream should be ignored. That idea has value. VD> By far the more interesting issue with compressed VD> content, is potential DoS, because small inputs VD> can uncompress to unreasonably large outputs. Another attack vector everyone needs to expect. VD> Applications might want to set limits on the amount VD> of data they're willing to extract from the compressed VD> stream. Good advice. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
