sigoden/dufs
1
0
Fork 0
mirror of https://github.com/sigoden/dufs.git synced 2026-04-08 16:49:02 +03:00
Code Issues 8 Packages Projects Releases 10 Wiki Activity

[GH-ISSUE #555] invalid zip file with overlapped components (possible zip bomb) for downloaded folders #330

New Issue
Closed
opened 2026-04-08 16:52:03 +03:00 by zhus · 4 comments
zhus commented 2026-04-08 16:52:03 +03:00
Owner
Copy Link

Originally created by @dkaparis on GitHub (Mar 13, 2025).
Original GitHub issue: https://github.com/sigoden/dufs/issues/555

Problem

Any folders downloaded as zip files give error: invalid zip file with overlapped components (possible zip bomb) when attempting to extract with unzip 6.00. Only the first file is extracted.

Extracting with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE set as advised appears to extract all files without issue.

Configuration

allow-all: true
enable-cors: true
render-index: false
render-try-index: false
render-spa: false
log-format: '$remote_addr "$request" $status $http_user_agent'
log-file: /var/log/dufs.log
compress: low

Environment Information

  • Dufs version: 0.43.0
  • Browser/Webdav info: Mozilla Firefox 136.0
  • OS info: Server: FreeBSD 13.4; client: ArtixLinux with unzip 6.00
  • Proxy server (if any): nginx
Originally created by @dkaparis on GitHub (Mar 13, 2025). Original GitHub issue: https://github.com/sigoden/dufs/issues/555 **Problem** Any folders downloaded as zip files give `error: invalid zip file with overlapped components (possible zip bomb)` when attempting to extract with `unzip` 6.00. Only the first file is extracted. Extracting with `UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE` set as advised appears to extract all files without issue. **Configuration** ``` allow-all: true enable-cors: true render-index: false render-try-index: false render-spa: false log-format: '$remote_addr "$request" $status $http_user_agent' log-file: /var/log/dufs.log compress: low ``` **Environment Information** - Dufs version: 0.43.0 - Browser/Webdav info: Mozilla Firefox 136.0 - OS info: Server: FreeBSD 13.4; client: ArtixLinux with unzip 6.00 - Proxy server (if any): nginx
zhus closed this issue 2026-04-08 16:52:04 +03:00
zhus commented 2026-04-08 16:52:04 +03:00
Author
Owner
Copy Link

@sigoden commented on GitHub (Mar 14, 2025):

Cannot confirm the bug. I have tested that the dufs generated zip works on windows/macos/linux.

<!-- gh-comment-id:2723023904 --> @sigoden commented on GitHub (Mar 14, 2025): Cannot confirm the bug. I have tested that the dufs generated zip works on windows/macos/linux.
zhus commented 2026-04-08 16:52:05 +03:00
Author
Owner
Copy Link

@dkaparis commented on GitHub (Mar 18, 2025):

Cannot confirm the bug. I have tested that the dufs generated zip works on windows/macos/linux.

dufs-test.zip

The attached file is generated by my dufs instance. Does it work with your tests on Linux? What tool are you using to extract it?

<!-- gh-comment-id:2732483145 --> @dkaparis commented on GitHub (Mar 18, 2025): > Cannot confirm the bug. I have tested that the dufs generated zip works on windows/macos/linux. [dufs-test.zip](https://github.com/user-attachments/files/19315754/dufs-test.zip) The attached file is generated by my dufs instance. Does it work with your tests on Linux? What tool are you using to extract it?
zhus commented 2026-04-08 16:52:05 +03:00
Author
Owner
Copy Link

@sigoden commented on GitHub (Mar 18, 2025):

Image

<!-- gh-comment-id:2732570971 --> @sigoden commented on GitHub (Mar 18, 2025): ![Image](https://github.com/user-attachments/assets/8dc5c059-5323-4411-952c-2be7efaaf5d0)
zhus commented 2026-04-08 16:52:05 +03:00
Author
Owner
Copy Link

@wsdookadr commented on GitHub (Mar 21, 2025):

The issue persists. I've compressed directories with dufs and have received complaints from people I've sent them to.
The error has been the same many times.
It's probably a false positive or some type of bug, but the effect is a bit embarrassing.

error: invalid zip file with overlapped components (possible zip bomb)
 To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable
[user@machine tuntuntun]$
<!-- gh-comment-id:2742188732 --> @wsdookadr commented on GitHub (Mar 21, 2025): The issue persists. I've compressed directories with dufs and have received complaints from people I've sent them to. The error has been the same many times. It's probably a false positive or some type of bug, but the effect is a bit embarrassing. ``` error: invalid zip file with overlapped components (possible zip bomb) To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable [user@machine tuntuntun]$ ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
zhus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sigoden/dufs#330
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?