Not sure, but let's see if I can try without crashing my laptop. EDIT: nope, ste... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

sametmax on July 4, 2019 | parent | context | favorite | on: A better zip bomb

Not sure, but let's see if I can try without crashing my laptop.

EDIT: nope, steaming doesn't work, the zip relies on the fact it contains many files, and gzip assume there is only one big blog.

EDIT 2: tried with zlib but it expects a different header. So my guess is you really need to open it as an archive.

masklinn on July 4, 2019 [–]

gzip and zlib (and tar) are "streaming" formats, the essay notes that "streaming" zip libraries are not affected as this bomb exploits the relationship between the central directory and the individual files.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact