Hello Dave, from a look at the code, it appears that you're not currently checking the file size before decompressing. A relatively small zip file can contain a file full of zeroes which is actually a gigabyte large when compressed. This could be used for DoS attacks against the server. The basic attack strategy can be defeated fairly easily -- in your code by checking $tmpfsize against a variable before decompressing. The archive could also contain a large number of files of normally acceptable size (e.g. 100*1MB). Finally, keep in mind that an attacker could upload multiple ZIP files in a row to spam the server. That's true for images as well, but a lot easier when you can generate hundreds of megabytes by uploading hundreds of kilobytes. It appears the compression ratio is about 1000:1 for such files, i.e. 100 MB will compress to a 100K file. I don't know if different ZIP implementations achieve different compression ratios here. One way to deal with this would be to have a per-IP upload limit, e.g. 100 MB per IP/day. You'd have to store this information in a table somewhere, though. Others may have more clever ideas. As you're running this on an Intranet, this is likely not an issue. However, perhaps we should add a warning about this to the page on Meta for people who intend to run the extension publicly. Erik