[aur-general] AUR no more extracting source tarballs ( was: Upgraded AUR to 1.8.0)
Loui Chang
louipc.ist at gmail.com
Mon Feb 21 18:16:08 EST 2011
On Tue 22 Feb 2011 00:51 +0200, Ionuț Bîru wrote:
> On 02/22/2011 12:35 AM, Isaac Dupree wrote:
> >On 02/21/11 10:54, Lukas Fleischer wrote:
> >>Yes, like having two 1GB large files `tar -czf`'ed and uploading the
> >>resulting tarball to the AUR. I don't think that can be detected without
> >>being vulnerable to DoS attacks.
> >
> >What if the PKGBUILD itself is a 1GB file? For example a normal looking
> >PKGBUILD followed by a billion newlines. That probably compresses pretty
> >well.
> >
> >(/foolishly responding without reading code)
> >
> >-Isaac
>
> actually if i remember well somebody did that in the past.
Yeah we really need to figure out a reliable way to reject these
zip-bombs.
More information about the aur-general
mailing list