Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: looks ok

Check inputs to java.util.ZipInputStream for cases that cause consumption of excessive system resources. Denial of service can occur when resource usage is disproportionately large in comparison to the input data that causes the resource usage. The nature of the Zip zip algorithm permits the existence of "zip bombs" whereby a short file is very highly compressed, for instance, ZIPs, GIFs and gzip encoded HTTP content.

The Zip zip algorithm is capable of producing very large compression ratios [Mahmoud 2002]. The example below shows a file that was compressed from 148MB to 590KB, a ratio of more than 200 to 1. The file consists of arbitrarily repeated data: alternating lines of 'a' characters and 'b' characters. Even higher compression ratios can be easily obtained using more input data, more targeted input data, and other compression methods.

...

Any entry in a Zip file whose uncompressed filesize file size is beyond a certain limit must not be uncompressed. The actual limit is dependent on the capabilities of the platform.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f9006f8928242f5a-28cc413e-4b4f4e34-95be999e-289f836af7694f1383ccff53"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 409

http://cwe.mitre.org/data/definitions/409.html] "Improper Handling of Highly Compressed Data (Data Amplification)"]]></ac:plain-text-body></ac:structured-macro>

...