Extract user-downloaded archives without providing ZipBombs?

Question

Extract user-downloaded archives without providing ZipBombs?

My question is simple: how can I (or prevent) the user from downloading an archive that, when extracted, fills all the disk space (the so-called ZipBomb)? I am using PHP.

+3

php upload archive

Tower Nov 28 '10 at 12:26

source share

1 answer

Jon · Accepted Answer · 2010-11-28T12:45:31+0000

Before extracting your archive, use the functions of the PHP Zip library to make sure that the contents fall within the general size limit during extraction.

For instance:

$zip = zip_open('uploaded.zip');
$file = zip_read($zip);
$totalsize = 0;

while ($file) {
    $totalsize += zip_entry_filesize($file);
    $file = zip_read($zip); // read next file
}

zip_close($zip);

if ($totalsize > SIZE_LIMIT) {
    // not allowed!
}

Extract user-downloaded archives without providing ZipBombs?

More articles: