You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@poi.apache.org by bu...@apache.org on 2016/06/20 09:49:50 UTC

[Bug 58499] ZipSecureFile throws zip bomb detected

https://bz.apache.org/bugzilla/show_bug.cgi?id=58499

--- Comment #5 from Axel Howind <ax...@dua3.com> ---
I think the check should only be done when reading a workbook but never when
writing. Since in the example code no workbook is read, the problem seems to be
that the streaming API writes to a temp file and reads that back in again.

I just got hot by this problem, and the suggested fix to adjust the limit by
calling ZipSecureFile.setMinInflateRation() does not seem appropriate since it
is a global setting and thus would make applications that both read and write
workbooks less secure.

I have not checked the POI code yet, but I'd suggest better not using
ZipSecureFile when *writing* workbooks (or in this case: reading back the
temporary files created when writing an instance of SXSSFWorkbook).

Would such a patch be accepted?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org