ObjFW  Check-in [be628bbb84]

Overview
Comment:OFZIPArchive: Do not sort -[entries].

While sorting -[entries] reduces hard disk seeks, it allows a denial of
service by creating an archive with a huge central directory without
actual files. As usually the order in the central directory matches the
order of the actual files, this minor speed increase is not worth the
attack vector.

Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: be628bbb8456296105575011da2fed8349f7a485fabf542ab16ffd59d1b9bf44
User & Date: js on 2013-11-06 20:58:10
Other Links: manifest | tags
Context
2013-11-06
21:11
objfw-unzip: Add "never override" mode. check-in: 64f72315cd user: js tags: trunk
20:58
OFZIPArchive: Do not sort -[entries]. check-in: be628bbb84 user: js tags: trunk
20:29
Add OFDeflate64Stream. check-in: 7aef43d648 user: js tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Modified src/OFZIPArchive.h from [321e6d1503] to [471313a18b]. 

60
61
62
63
64
65
66
67
68
69

70
71
72
73
74
75
76

 */
- initWithPath: (OFString*)path;

/*!
 * @brief Returns the entries of the central directory of the archive as an
 * 	  array of objects of class @ref OFZIPArchiveEntry.
 *
 * The array is sorted by the offset of the local file header, smallest offset
 * to largest offset. This way, hard disk seeks are minimized when the array is
 * enumerated to extract all files of the archive.

 *
 * @return The entries of the central directory of the archive as an array
 */
- (OFArray*)entries;

/*!
 * @brief Returns the archive comment.








<
|
|
>








60
61
62
63
64
65
66

67
68
69
70
71
72
73
74
75
76

 */
- initWithPath: (OFString*)path;

/*!
 * @brief Returns the entries of the central directory of the archive as an
 * 	  array of objects of class @ref OFZIPArchiveEntry.
 *

 * The objects of the array have the same order as the entries in the central
 * directory, which does not need to be the order in which the actual files are
 * stored.
 *
 * @return The entries of the central directory of the archive as an array
 */
- (OFArray*)entries;

/*!
 * @brief Returns the archive comment.

Modified src/OFZIPArchive.m from [cf62e89d89] to [20c9faa50f]. 

329
330
331
332
333
334
335
336
337
338
339
340
341
342
343

			@throw [OFInvalidFormatException exception];

		[_entries addObject: entry];
		[_pathToEntryMap setObject: entry
				    forKey: [entry fileName]];
	}

	[_entries sort];
	[_entries makeImmutable];
	[_pathToEntryMap makeImmutable];

	objc_autoreleasePoolPop(pool);
}

- (OFArray*)entries








<








329
330
331
332
333
334
335

336
337
338
339
340
341
342

			@throw [OFInvalidFormatException exception];

		[_entries addObject: entry];
		[_pathToEntryMap setObject: entry
				    forKey: [entry fileName]];
	}


	[_entries makeImmutable];
	[_pathToEntryMap makeImmutable];

	objc_autoreleasePoolPop(pool);
}

- (OFArray*)entries

Modified src/OFZIPArchiveEntry.m from [fded94162f] to [49ac97ac70]. 

247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271

	return _externalAttributes;
}

- (uint64_t)OF_localFileHeaderOffset
{
	return _localFileHeaderOffset;
}

- (of_comparison_result_t)compare: (id)object
{
	OFZIPArchiveEntry *entry;

	if (![object isKindOfClass: [OFZIPArchiveEntry class]])
		@throw [OFInvalidArgumentException exception];

	entry = object;

	if (_localFileHeaderOffset > entry->_localFileHeaderOffset)
		return OF_ORDERED_DESCENDING;
	if (_localFileHeaderOffset < entry->_localFileHeaderOffset)
		return OF_ORDERED_ASCENDING;

	return OF_ORDERED_SAME;
}
@end








<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<


247
248
249
250
251
252
253

















254

	return _externalAttributes;
}

- (uint64_t)OF_localFileHeaderOffset
{
	return _localFileHeaderOffset;
}

















@end

Fossil 2.23 [47362306a7] 2023-11-01 18:56:47
This page was generated in about 0.017s