Skip to content

Commit

Permalink
Default validate_entry_sizes to false for 1.3 release
Browse files Browse the repository at this point in the history
  • Loading branch information
@jdleesmiller
jdleesmiller committed Sep 15, 2019
1 parent 4167f0c commit 7849f73
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 2 deletions.
11 changes: 11 additions & 0 deletions Changelog.md
View file
@@ -1,5 +1,16 @@
# X.X.X (Next)

-

# 1.3.0 (Next)

Security

- Add `validate_entry_sizes` option so that callers can trust an entry's reported size when using `extract` [#403](https://github.com/rubyzip/rubyzip/pull/403)
- This option defaults to `false` for backward compatibility in this release, but you are strongly encouraged to set it to `true`. It will default to `true` in rubyzip 2.0.

New Feature

- Add `add_stored` method to simplify adding entries without compression [#366](https://github.com/rubyzip/rubyzip/pull/366)

Tooling / Documentation
Expand Down
8 changes: 7 additions & 1 deletion README.md
View file
Expand Up @@ -265,7 +265,13 @@ Zip.warn_invalid_date = false

### Size Validation

By default, `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.**

If you set
```
Zip.validate_entry_sizes = true
```
then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:

```ruby
MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
Expand Down
2 changes: 1 addition & 1 deletion lib/zip.rb
View file
Expand Up @@ -55,7 +55,7 @@ def reset!
@write_zip64_support = false
@warn_invalid_date = true
@case_insensitive_match = false
@validate_entry_sizes = true
@validate_entry_sizes = false
end

def setup
Expand Down

0 comments on commit 7849f73

Please sign in to comment.