[aur-general] AUR no more extracting source tarballs ( was: Upgraded AUR to 1.8.0)
Lukas Fleischer
archlinux at cryptocrack.de
Mon Feb 21 10:35:33 EST 2011
On Mon, Feb 21, 2011 at 03:46:47PM +0100, Dieter Plaetinck wrote:
> On Mon, 21 Feb 2011 14:50:39 +0100
> Lukas Fleischer <archlinux at cryptocrack.de> wrote:
>
>
> > The only issue that might affect the end users as well is "ZIP bombs".
> > Most users will probably notice such a thing before it is entirely
> > extracted, just interrupt tar(1)/gzip(1) and send a removal request to
> > aur-general, however.
>
> hmmm. some good points.
> I guess I could try the suggested approach and see how I like it.
> However, now that you bring up the "zip bombs", do you think it's
> feasible to scan for them serverside without compromising security
> and/or making things needlessly complicated? it would be useful for
> clients if that one aspect could be filtered out in advance.
I don't think this is possible without decompressing the tarball which
is again vulnerable to (D)DoS.
More information about the aur-general
mailing list