Protect users against ZIP bombs (fixes FS#22991).

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 09:43:03 +00:00 · 2011-02-22 19:46:51 +01:00 · 2011-02-22 19:46:51 +01:00 · 09d8128f99
commit 09d8128f99
parent f961ffd9c7
2 changed files with 17 additions and 0 deletions
--- a/web/lib/config.inc.proto
+++ b/web/lib/config.inc.proto
@ -53,3 +53,8 @@ $LOGIN_TIMEOUT = 7200;

 # Session timeout when using "Remember me" cookies
 $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30;
+
+# Uncompressed file size limit for submitted tarballs (ZIP bomb protection) -
+# please ensure "upload_max_filesize" is additionally set to no more than 3M,
+# otherwise this check might be easy to bypass (FS#22991 for details)
+$MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8;