java 我如何保护自己免受拉链炸弹的伤害?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1459080/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I protect myself from a zip bomb?
提问by flybywire
I just read about zip bombs, i.e. zip files that contain very large amount of highly compressible data (00000000000000000...).
我刚刚阅读了zip 炸弹,即包含大量高度可压缩数据的 zip 文件(00000000000000000...)。
When opened they fill the server's disk.
当它们打开时,它们会填满服务器的磁盘。
How can I detect a zip file is a zip bomb beforeunzipping it?
如何在解压缩之前检测 zip 文件是 zip 炸弹?
UPDATECan you tell me how is this done in Python or Java?
更新你能告诉我这是如何在 Python 或 Java 中完成的吗?
采纳答案by Nick Dandoulakis
Try this in Python:
在 Python 中试试这个:
import zipfile
z = zipfile.ZipFile('c:/a_zip_file')
print 'total files size=', sum(e.file_size for e in z.infolist())
z.close()
回答by Tom Hawtin - tackline
Zip is, erm, an "interesting" format. A robust solution is to stream the data out, and stop when you have had enough. In Java, use ZipInputStreamrather than ZipFile. The latter also requires you to store the data in a temporary file, which is also not the greatest of ideas.
Zip 是,呃,一种“有趣”的格式。一个强大的解决方案是将数据流式传输出来,并在您受够了时停止。在 Java 中,使用ZipInputStream而不是ZipFile. 后者还需要你将数据存储在一个临时文件中,这也不是最大的想法。
回答by Michael Lloyd Lee mlk
Reading over the description on Wikipedia -
阅读维基百科上的描述 -
Deny any compressed files that contain compressed files.
Use ZipFile.entries()to retrieve a list of files, then ZipEntry.getName()to find the file extension.
Deny any compressed files that contain files over a set size, or the size can not be determined at startup.
While iterating over the files use ZipEntry.getSize()to retrieve the file size.
拒绝任何包含压缩文件的压缩文件。
使用ZipFile.entries()检索文件列表,然后使用ZipEntry.getName()查找文件扩展名。
拒绝任何包含超过设定大小的文件的压缩文件,或者在启动时无法确定大小。
在迭代文件时使用ZipEntry.getSize()来检索文件大小。
回答by Pete Kirkham
Don't allow the upload process to write enough data to fill up the disk, ie solve the problem, not just one possible cause of the problem.
不要让上传过程写入足够的数据来填满磁盘,即解决问题,而不仅仅是问题的一种可能原因。
回答by Vladislav Rastrusny
Check a zip header first :)
首先检查 zip 标头 :)
回答by sharptooth
If the ZIP decompressor you use can provide the data on original and compressed size you can use that data. Otherwise start unzipping and monitor the output size - if it grows too much cut it loose.
如果您使用的 ZIP 解压缩器可以提供原始和压缩大小的数据,您就可以使用该数据。否则开始解压缩并监视输出大小 - 如果它增长太多,请将其松开。
回答by Heiko Hatzfeld
Make sure you are not using your system drive for temp storage. I am not sure if a virusscanner will check it if it encounters it.
确保您没有将系统驱动器用于临时存储。如果遇到病毒扫描程序,我不确定它是否会检查它。
Also you can look at the information inside the zip file and retrieve a list of the content. How to do this depends on the utility used to extract the file, so you need to provide more information here
您还可以查看 zip 文件中的信息并检索内容列表。如何执行此操作取决于用于提取文件的实用程序,因此您需要在此处提供更多信息
