A better zip bomb
Re: A better zip bomb
Wow! Dumbstruck.
My highlight:
My highlight:
2019-07-05: I noticed that CVE-2019-13232 was assigned for UnZip. Personally, I would dispute that UnZip's (or any zip parser's) ability to process a zip bomb of the kind discussed here necessarily represents a security vulnerability, or even a bug. It's a natural implementation and does not violate the specification in any way that I can tell. The type discussed in this article is only one type of zip bomb, and there are many ways in which zip parsing can go wrong that are not bombs. As mentioned above, if you want to defend against resource exhaustion attacks, you should not try to enumerate, detect, and block every individual known attack; rather you should impose external limits on time and other resources so that the parser cannot misbehave too much, no matter what kind of attack it faces.
Re: A better zip bomb
Thanks. Amazing read.
My YouTube channel | Release date of my 13th playlist: August 24, 2020