adamhathcock
commented
1 year ago Sounds like we should just blanket do that as a more security feature anyway. Invalid or malformed archives/headers should be exceptions thrown.
The option would be to not to this validation.
Hello!
Would it be possible to have an option to fail decompression if the actual size of a decompressed entry starts to go over the uncompressed size declared in the header during decompression?
Headers of the zip file are easily manipulated, and so the uncompressed size can be changed to something smaller.
When using SharpCompress, I found that the manipulated header was being used when reading TotalUncompressSize, but the archive would decompress to its original size regardless of what size the header said it should be.
I understand many people may not want this, so thought it might be something that could be done as an option (in ExtractionOptions maybe).
For now, we have coded a solution around this. But it would be great if there was a way to enforce the header size in SharpCompress itself for use in other projects.