Hello Dave,
from a look at the code, it appears that you're not currently checking
the file size before decompressing. A relatively small zip file can
contain a file full of zeroes which is actually a gigabyte large when
compressed. This could be used for DoS attacks against the server. The
basic attack strategy can be defeated fairly easily -- in your code by
checking $tmpfsize against a variable before decompressing.
The archive could also contain a large number of files of normally
acceptable size (e.g. 100*1MB). Finally, keep in mind that an attacker
could upload multiple ZIP files in a row to spam the server. That's
true for images as well, but a lot easier when you can generate
hundreds of megabytes by uploading hundreds of kilobytes.
It appears the compression ratio is about 1000:1 for such files, i.e.
100 MB will compress to a 100K file. I don't know if different ZIP
implementations achieve different compression ratios here.
One way to deal with this would be to have a per-IP upload limit, e.g.
100 MB per IP/day. You'd have to store this information in a table
somewhere, though. Others may have more clever ideas.
As you're running this on an Intranet, this is likely not an issue.
However, perhaps we should add a warning about this to the page on
Meta for people who intend to run the extension publicly.
Erik