All geek questions in one place

How to use the Archive: Remove safely - again with a zipper or similar?

Summary of the task:

  • you need to allow downloading ZIP files (and tgz and more compressed directory trees) via the web interface
  • zip files must be extracted to handle their contents
  • plan to use Archive :: Extract to extract
  • here are things like ZIP BOMBS and how ...

From the manual

The :: Extract archive can use either pure perl modules or the command line of programs under the hood. Some of the pure perl modules (for example, Archive :: Tar and Compress :: unLZMA) take the entire contents of the archive into memory, which may not be possible on your system. Consider setting the global variable $ Archive :: Extract :: PREFER_BIN to 1, which prefers the use of command-line programs and will not consume so much memory.

Questions:

  • When I set $Archive::Extract::PREFER_BIN = 1 - am I protected enough to use ZIP-BOMB again?

  • $ Archive :: Extract :: PREFER_BIN will protect me from reusing memory, but the standard unzip , tar -z unrar binaries are safe zip bomb re-attacks, such as attacks?

  • If not, how to handle a securely loaded compressed directory tree ? (therefore, there is not only one file inside, for example, zip archive ).

+4
source share
1 answer

$ Archive :: Extract :: PREFER_BIN = 1 does not protect you from mail bombs, you pass the problem to the binary unpacker of your system.

This question may help you. I like the idea of ​​starting a second process using ulimit.

+3
source

Source: https://habr.com/ru/post/1496438/

More articles:


All Articles