...
In this compliant solution, the code inside the while loop tracks the uncompressed file size of each entry in a zip archive while extracting the entry. It throws an exception if the entry being extracted is too large — about 100MB in this case. We do not use the ZipEntry.getSize() method because the value it reports is not reliable. Note that we validate the name of the file specified in the zip entry before using it to create a new file. We do not trust the source of the zip file, so this validation is done in compliance with rule IDS00-J. Sanitize untrusted data passed across a trust boundary.
| Code Block | ||
|---|---|---|
| ||
static final int BUFFER = 512;
static final int TOOBIG = 0x6400000; // 100MB
// ...
private String validateFilename(String filename) { ... }
public final void unzip(String filename) throws java.io.IOException{
FileInputStream fis = new FileInputStream(filename);
ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try{
while ((entry = zis.getNextEntry()) != null) {
System.out.println("Extracting: " + entry);
int count;
byte data[] = new byte[BUFFER]; // write the files to the disk, but ensure that the file is not insanely big
int total = 0;
String name = validateFilename(entry.getName());
FileOutputStream fos = new FileOutputStream(name);
 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
 while (total <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) {
   dest.write(data, 0, count);
   total += count;
 }
 dest.flush();
 dest.close();
zis.closeEntry();
if (total > TOOBIG){
throw new IllegalStateException("File being unzipped is huge."); }
}
} finally {
zis.close();
}
}
|
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="644f167c120a5c53-a10cc9dc-48fa4aa0-a045a3eb-3c6d4a22a034c624051622d8"><ac:plain-text-body><![CDATA[ | [[Mahmoud 2002 | AA. References#Mahmoud 02]] | [Compressing and Decompressing Data Using Java APIs | http://java.sun.com/developer/technicalArticles/Programming/compression/] | ]]></ac:plain-text-body></ac:structured-macro> |
...