Reputation: 63972
How to use Archive::Extract safely - againist zip bomb or similar?
Problem outline:
- need allow upload ZIP files (and
tgzand more compressed directory trees) via web-from - the zip files should be extracted for their content handling
- planning to use Archive::Extract for the extracting
- here are things like ZIP BOMBS and like...
From the manual
Archive::Extract can use either pure perl modules or command line programs under the hood. Some of the pure perl modules (like Archive::Tar and Compress::unLZMA) take the entire contents of the archive into memory, which may not be feasible on your system. Consider setting the global variable $Archive::Extract::PREFER_BIN to 1 , which will prefer the use of command line programs and won't consume so much memory.
The questions are:
- When I set the
$Archive::Extract::PREFER_BIN = 1- i'm enough protected againist ZIP-BOMB like things? $Archive::Extract::PREFER_BIN protect me againist much memory usage - but, the standard
unzip,tar -zunrarbinaries are safe againist zip bomb like attacks?If not - how to handle safely uploaded compressed
directory tree? (so here is not only one file inside the e.gzip archive).
Upvotes: 3
Views: 2149
Answers (1)
Reputation: 13792
$Archive::Extract::PREFER_BIN = 1 doesn't protect you against zip bombs, you are passing the problem to the binary unzip tool of your system.
This SO question may helps you. I like the idea of running a second process with ulimit.
Upvotes: 3
Related Questions
- How to zip a file in perl using IO::Compress::Zip
- How can I extract a single file from a ZIP archive using Perl's Archive::Zip?
- Perl Archive::Zip unexpected behavior
- Zipping a file with perl results in an invalid archive
- How to silence the warning in the Archive::Zip
- Perl reading zip files with IO::Uncompress::AnyUncompress
- How to create zip file in perl?
- How can I extract a compressed archive in Perl?
- How to combine zip files with Archive::Zip in Perl
- How can I create a Zip archive in Perl?