My question is simple: how do I make sure (or prevent) a user from uploading an archive that upon extraction fills the entire disc space (a so-called ZipBomb)? I am using PHP.
Asked
Active
Viewed 67 times
3
-
May be related to http://stackoverflow.com/questions/1903623/uploading-extracting-archive-zip-rar-targz-tarbz-automatically-security – Nov 28 '10 at 12:30
-
Yes, but there is no solution to the problem other than Java's `ZipInputStream`. – Tower Nov 28 '10 at 12:41
-
list it's content first and check unpacked sizes? – Your Common Sense Nov 28 '10 at 12:44
1 Answers
2
Before extracting your archive, use the PHP Zip library functions to ensure that, when extracted, the contents fall within a total size limit.
For example:
$zip = zip_open('uploaded.zip');
$file = zip_read($zip);
$totalsize = 0;
while ($file) {
$totalsize += zip_entry_filesize($file);
$file = zip_read($zip); // read next file
}
zip_close($zip);
if ($totalsize > SIZE_LIMIT) {
// not allowed!
}
Jon
- 428,835
- 81
- 738
- 806
-
1[The comment below the manual entry for `zip_entry_filesize` mentions ZipBombs as well](http://de2.php.net/manual/en/function.zip-entry-filesize.php#98949) – Gordon Nov 28 '10 at 12:47