diff options
author | Øystein Heskestad <oystein.heskestad@qt.io> | 2021-03-03 12:23:18 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-03-07 07:55:38 +0000 |
commit | 4e1bd90f3f71e97de580215c9884df8374602a8b (patch) | |
tree | 635c6ed24520387c281333585483687cb02d024f /src | |
parent | 920ecea06aec2e87d1fa2270a4023def84024c63 (diff) |
Make qdecompresshelper archive bomb check only trigger for large files
This is to avoid false positives.
By default files are large if uncompressed size > 10 MB. Only configurable internally.
Also add auto tests.
Task-number: QTBUG-91392
Change-Id: I32258cb7c957f2a23a05157ba4ed5c0af2ba585e
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
(cherry picked from commit be73ca7eb1cebcc15064666e647bc337b5c2baa2)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/network/access/qdecompresshelper.cpp | 8 | ||||
-rw-r--r-- | src/network/access/qdecompresshelper_p.h | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/src/network/access/qdecompresshelper.cpp b/src/network/access/qdecompresshelper.cpp index 2e44a58cf4..d0e75ef0dc 100644 --- a/src/network/access/qdecompresshelper.cpp +++ b/src/network/access/qdecompresshelper.cpp @@ -405,6 +405,11 @@ void QDecompressHelper::setArchiveBombDetectionEnabled(bool enable) countHelper->setArchiveBombDetectionEnabled(enable); } +void QDecompressHelper::setMinimumArchiveBombSize(qint64 threshold) +{ + minimumArchiveBombSize = threshold; +} + bool QDecompressHelper::isPotentialArchiveBomb() const { if (!archiveBombDetectionEnabled) @@ -413,6 +418,9 @@ bool QDecompressHelper::isPotentialArchiveBomb() const if (totalCompressedBytes == 0) return false; + if (totalUncompressedBytes <= minimumArchiveBombSize) + return false; + // Some protection against malicious or corrupted compressed files that expand far more than // is reasonable. double ratio = double(totalUncompressedBytes) / double(totalCompressedBytes); diff --git a/src/network/access/qdecompresshelper_p.h b/src/network/access/qdecompresshelper_p.h index 4e66581022..6a77775790 100644 --- a/src/network/access/qdecompresshelper_p.h +++ b/src/network/access/qdecompresshelper_p.h @@ -92,6 +92,7 @@ public: void clear(); void setArchiveBombDetectionEnabled(bool enable); + void setMinimumArchiveBombSize(qint64 threshold); static bool isSupportedEncoding(const QByteArray &encoding); static QByteArrayList acceptedEncoding(); @@ -119,6 +120,7 @@ private: // Used for calculating the ratio bool archiveBombDetectionEnabled = true; + qint64 minimumArchiveBombSize = 10 * 1024 * 1024; qint64 totalUncompressedBytes = 0; qint64 totalCompressedBytes = 0; |