[aur-general] AUR no more extracting source tarballs ( was: Upgraded AUR to 1.8.0)
Lukas Fleischer
archlinux at cryptocrack.de
Tue Feb 22 04:17:48 EST 2011
On Mon, Feb 21, 2011 at 06:16:08PM -0500, Loui Chang wrote:
> On Tue 22 Feb 2011 00:51 +0200, Ionuț Bîru wrote:
> > On 02/22/2011 12:35 AM, Isaac Dupree wrote:
> > >On 02/21/11 10:54, Lukas Fleischer wrote:
> > >>Yes, like having two 1GB large files `tar -czf`'ed and uploading the
> > >>resulting tarball to the AUR. I don't think that can be detected without
> > >>being vulnerable to DoS attacks.
> > >
> > >What if the PKGBUILD itself is a 1GB file? For example a normal looking
> > >PKGBUILD followed by a billion newlines. That probably compresses pretty
> > >well.
> > >
> > >(/foolishly responding without reading code)
> > >
> > >-Isaac
> >
> > actually if i remember well somebody did that in the past.
>
> Yeah we really need to figure out a reliable way to reject these
> zip-bombs.
Work in progress [1] :p
[1] https://bugs.archlinux.org/task/22991
More information about the aur-general
mailing list