I just read about zip bombs, i.e. zip files that contain very large amount of highly compressible data (00000000000000000...).
我刚刚读了一些关于zip bomb的文章,比如zip文件包含大量高度可压缩的数据(00000000000000000…)。
When opened they fill the server's disk.
打开时,它们将填满服务器的磁盘。
How can I detect a zip file is a zip bomb before unzipping it?
如何在解压缩之前检测zip文件是zip炸弹?
UPDATE Can you tell me how is this done in Python or Java?
你能告诉我这是如何在Python或Java中完成的吗?
7 个解决方案
#1
20
Try this in Python:
在Python试试这个:
import zipfile
z = zipfile.ZipFile('c:/a_zip_file')
print 'total files size=', sum(e.file_size for e in z.infolist())
z.close()
#2
19
Zip is, erm, an "interesting" format. A robust solution is to stream the data out, and stop when you have had enough. In Java, use ZipInputStream rather than ZipFile. The latter also requires you to store the data in a temporary file, which is also not the greatest of ideas.
Zip是,erm,一种“有趣”的格式。一个健壮的解决方案是将数据流出去,当您已经有足够的数据时停止。在Java中,使用ZipInputStream而不是ZipFile。后者还要求您将数据存储在临时文件中,这也不是最伟大的想法。
#3
10
Reading over the description on Wikipedia -
阅读*上的描述-
Deny any compressed files that contain compressed files.
Use ZipFile.entries() to retrieve a list of files, then ZipEntry.getName() to find the file extension.
Deny any compressed files that contain files over a set size, or the size can not be determined at startup.
While iterating over the files use ZipEntry.getSize() to retrieve the file size.
拒绝任何包含压缩文件的压缩文件。使用ZipFile.entries()检索文件列表,然后使用ZipEntry.getName()查找文件扩展名。拒绝任何包含超过设置大小的文件的压缩文件,或者无法在启动时确定大小。在遍历文件时,使用ZipEntry.getSize()检索文件大小。
#4
5
Check a zip header first :)
首先检查一个zip头:)
#5
4
If the ZIP decompressor you use can provide the data on original and compressed size you can use that data. Otherwise start unzipping and monitor the output size - if it grows too much cut it loose.
如果您使用的ZIP解压程序可以提供原始和压缩大小的数据,那么您可以使用该数据。否则,启动解压缩并监视输出大小——如果输出太大,则将其释放。
#6
4
Don't allow the upload process to write enough data to fill up the disk, ie solve the problem, not just one possible cause of the problem.
不要让上传过程写足够的数据来填满磁盘(解决问题,而不仅仅是问题的一个可能原因)。
#7
1
Make sure you are not using your system drive for temp storage. I am not sure if a virusscanner will check it if it encounters it.
确保您没有将系统驱动器用于临时存储。我不确定一个病毒扫描器是否会检查它是否遇到它。
Also you can look at the information inside the zip file and retrieve a list of the content. How to do this depends on the utility used to extract the file, so you need to provide more information here
您还可以查看zip文件中的信息并检索内容列表。如何做到这一点取决于用于提取文件的实用程序,因此您需要在这里提供更多的信息?
#1
20
Try this in Python:
在Python试试这个:
import zipfile
z = zipfile.ZipFile('c:/a_zip_file')
print 'total files size=', sum(e.file_size for e in z.infolist())
z.close()
#2
19
Zip is, erm, an "interesting" format. A robust solution is to stream the data out, and stop when you have had enough. In Java, use ZipInputStream rather than ZipFile. The latter also requires you to store the data in a temporary file, which is also not the greatest of ideas.
Zip是,erm,一种“有趣”的格式。一个健壮的解决方案是将数据流出去,当您已经有足够的数据时停止。在Java中,使用ZipInputStream而不是ZipFile。后者还要求您将数据存储在临时文件中,这也不是最伟大的想法。
#3
10
Reading over the description on Wikipedia -
阅读*上的描述-
Deny any compressed files that contain compressed files.
Use ZipFile.entries() to retrieve a list of files, then ZipEntry.getName() to find the file extension.
Deny any compressed files that contain files over a set size, or the size can not be determined at startup.
While iterating over the files use ZipEntry.getSize() to retrieve the file size.
拒绝任何包含压缩文件的压缩文件。使用ZipFile.entries()检索文件列表,然后使用ZipEntry.getName()查找文件扩展名。拒绝任何包含超过设置大小的文件的压缩文件,或者无法在启动时确定大小。在遍历文件时,使用ZipEntry.getSize()检索文件大小。
#4
5
Check a zip header first :)
首先检查一个zip头:)
#5
4
If the ZIP decompressor you use can provide the data on original and compressed size you can use that data. Otherwise start unzipping and monitor the output size - if it grows too much cut it loose.
如果您使用的ZIP解压程序可以提供原始和压缩大小的数据,那么您可以使用该数据。否则,启动解压缩并监视输出大小——如果输出太大,则将其释放。
#6
4
Don't allow the upload process to write enough data to fill up the disk, ie solve the problem, not just one possible cause of the problem.
不要让上传过程写足够的数据来填满磁盘(解决问题,而不仅仅是问题的一个可能原因)。
#7
1
Make sure you are not using your system drive for temp storage. I am not sure if a virusscanner will check it if it encounters it.
确保您没有将系统驱动器用于临时存储。我不确定一个病毒扫描器是否会检查它是否遇到它。
Also you can look at the information inside the zip file and retrieve a list of the content. How to do this depends on the utility used to extract the file, so you need to provide more information here
您还可以查看zip文件中的信息并检索内容列表。如何做到这一点取决于用于提取文件的实用程序,因此您需要在这里提供更多的信息?