On Sun, Nov 16, 2008 at 4:13 PM, Artur Fijałkowski <wiki.warx(a)gmail.com> wrote:
2008/11/16 Gregory Maxwell
If someone creates a good sanitizer that only
allows normal ODT files
without the risk of smuggling hidden program code, then we could allow
the OpenOffice files again. I believe it would be desirable to do so,
as rejecting the editable form is highly undesirable.
But still zip file could have decompression bomb or is there any
universal method of avoiding that?
Disallow recursive zips (not needed for any of these formats), and
check the directory before uncompressing, disallowing anything that
decompresses to enormous sizes. The combination should be sufficient
for that particular issue.