tags:

views:

1033

answers:

8
+15  Q: 

How can I protect myself from a zip bomb?

I just read about zip bombs, i.e. zip files that contain very large amount of highly compressible data (00000000000000000...).

When opened they fill the server's disk.

How can I detect a zip file is a zip bomb before unzipping it?

UPDATE Can you tell me how is this done in Python or Java?

+3  A: 

If the ZIP decompressor you use can provide the data on original and compressed size you can use that data. Otherwise start unzipping and monitor the output size - if it grows too much cut it loose.

sharptooth  2009-09-22 09:38:53
+5  A: 

Check a zip header first :)

FractalizeR  2009-09-22 09:40:43
A: 

Make sure you are not using your system drive for temp storage. I am not sure if a virusscanner will check it if it encounters it.

Also you can look at the information inside the zip file and retrieve a list of the content. How to do this depends on the utility used to extract the file, so you need to provide more information here

Heiko Hatzfeld  2009-09-22 09:40:43
A: 

Download files only from trusted sources.

Waleed Eissa  2009-09-22 09:57:27
Might not protect against stupidity as it does against malice.
kaizer.se  2009-09-22 10:23:07
Never assume malice, when stupidity is a simpler explanation.
voyager  2009-09-22 18:01:35
By stupidity, do you refer to creating a zip bomb by accident? :) Personally, I mostly download from www.download.com and www.microsoft.com, I'm not so worried about zip bombs unless microsoft decides to play a practical joke on us, not very likely IMHO
Waleed Eissa  2009-09-23 02:57:36
Microsoft doesn't have to "decide" anything. If one of their servers gets compromised, the attacker can have it start serving up zip bombs (or anything else) in place of its normal "trusted" content. Then you will be in trouble :^)
Jeremy Friesner  2009-09-27 05:53:16
@Jeremy, are you trying to tell me that you check the headers of every zip file you download? Actually I never heard about zip bombs before I read this question but I'm not so worried about them as long as they don't delete or damage any data on my computer.
Waleed Eissa  2009-09-28 10:22:23
Waleed, no I don't do that. My point was that assuming Microsoft.com==safe is just that, an assumption. Instead of having to make assumptions, a better solution would be an unzip unpacker that is aware of the possibility of "zip bombs" and takes steps to deal with them as gracefully as possible (e.g. by telling you in advance what the unzipped size of the archive will be... so you can know in advance if your 42KB .zip file is going to unpack to 300GB)
Jeremy Friesner  2009-10-01 03:12:47
+11  A: 

Try this in Python:

import zipfile
z = zipfile.ZipFile('c:/a_zip_file')
print 'total files size=', sum(e.file_size for e in z.infolist())
z.close()
Nick D  2009-09-22 09:57:29
At least with gzip I think the uncompressed size might not be in the header (so it might work with zip, but not with .tar.gz)
tonfa  2009-09-22 12:30:50
@tonfa, thanks for mentioning that zipfile doesn't handle gnu zip format.
Nick D  2009-09-22 13:05:34
IIRC, Zip standard (and let's face it, if you want to cause a DoS, you are necessarily going to follow standards) allows certain sizes to be elided from the central directory and entry headers.
Tom Hawtin - tackline  2009-09-22 13:14:56
The most famous zip bomb will pass this test because the first level is not very big. You need to check ZIP depth (ZIP inside ZIP) also.
ZZ Coder  2009-09-22 14:59:48
@ZZ Coder, hmm that's true. Tom Hawtin - tackline's solution is better in case you decompress all levels at once.
Nick D  2009-09-22 15:25:01
+4  A: 

Reading over the description on Wikipedia -

Deny any compressed files that contain compressed files.
     Use ZipFile.entries() to retrieve a list of files, then ZipEntry.getName() to find the file extension.
Deny any compressed files that contain files over a set size, or the size can not be determined at startup.
     While iterating over the files use ZipEntry.getSize() to retrieve the file size.

mlk  2009-09-22 09:58:04
+1  A: 

Don't allow the upload process to write enough data to fill up the disk, ie solve the problem, not just one possible cause of the problem.

Pete Kirkham  2009-09-22 10:07:22
+8  A: 

Zip is, erm, an "interesting" format. A robust solution is to stream the data out, and stop when you have had enough. In Java, use ZipInputStream rather than ZipFile. The latter also requires you to store the data in a temporary file, which is also not the greatest of ideas.

Tom Hawtin - tackline  2009-09-22 10:50:22

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java