picatz
commented
1 year ago cc @nywilken we probably need to get this same change landed in v2 sometime in the near future.
Closed picatz closed 1 year ago
picatz
commented
1 year ago cc @nywilken we probably need to get this same change landed in v2 sometime in the near future.
nywilken
commented
1 year ago cc @nywilken we probably need to get this same change landed in v2 sometime in the near future.
Sounds good thanks for the detailed description. I like the approach. This change can be easily cherry-picked into v2 once merged.
nywilken
commented
1 year ago cc @nywilken we probably need to get this same change landed in v2 sometime in the near future.
Sounds good thanks for the detailed description. I like the approach. This change can be easily cherry-picked into v2 once merged.
This PR aims to fix #419. The
bomb.zipfile was useful to verify the zip bomb protections worked properly, but is not required to verify our mitigations work. Including a real zip bomb lead to confusion and reports of anti-virus causing issues for users. Instead, a zip file is created inline with the test before verifying the decompression limit works.