On Sun, Nov 16, 2008 at 4:13 PM, Artur FijaĆkowski wiki.warx@gmail.com wrote:
2008/11/16 Gregory Maxwell gmaxwell@gmail.com:
If someone creates a good sanitizer that only allows normal ODT files without the risk of smuggling hidden program code, then we could allow the OpenOffice files again. I believe it would be desirable to do so, as rejecting the editable form is highly undesirable.
But still zip file could have decompression bomb or is there any universal method of avoiding that?
Disallow recursive zips (not needed for any of these formats), and check the directory before uncompressing, disallowing anything that decompresses to enormous sizes. The combination should be sufficient for that particular issue.