You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Changelog.md
+11
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,16 @@
1
1
# X.X.X (Next)
2
2
3
+
-
4
+
5
+
# 1.3.0 (Next)
6
+
7
+
Security
8
+
9
+
- Add `validate_entry_sizes` option so that callers can trust an entry's reported size when using `extract`[#403](https://github.com/rubyzip/rubyzip/pull/403)
10
+
- This option defaults to `false` for backward compatibility in this release, but you are strongly encouraged to set it to `true`. It will default to `true` in rubyzip 2.0.
11
+
12
+
New Feature
13
+
3
14
- Add `add_stored` method to simplify adding entries without compression [#366](https://github.com/rubyzip/rubyzip/pull/366)
By default, rubyzip will not overwrite files if they already exist inside of the extracted path. To change this behavior, you may specify a configuration option like so:
223
229
224
230
```ruby
@@ -233,18 +239,63 @@ Additionally, if you want to configure rubyzip to overwrite existing files while
233
239
Zip.continue_on_exists_proc =true
234
240
```
235
241
242
+
### Non-ASCII Names
243
+
236
244
If you want to store non-english names and want to open them on Windows(pre 7) you need to set this option:
237
245
238
246
```ruby
239
247
Zip.unicode_names =true
240
248
```
241
249
250
+
Sometimes file names inside zip contain non-ASCII characters. If you can assume which encoding was used for such names and want to be able to find such entries using `find_entry` then you can force assumed encoding like so:
251
+
252
+
```ruby
253
+
Zip.force_entry_names_encoding ='UTF-8'
254
+
```
255
+
256
+
Allowed encoding names are the same as accepted by `String#force_encoding`
257
+
258
+
### Date Validation
259
+
242
260
Some zip files might have an invalid date format, which will raise a warning. You can hide this warning with the following setting:
243
261
244
262
```ruby
245
263
Zip.warn_invalid_date =false
246
264
```
247
265
266
+
### Size Validation
267
+
268
+
**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.**
269
+
270
+
If you set
271
+
```
272
+
Zip.validate_entry_sizes = true
273
+
```
274
+
then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
275
+
276
+
```ruby
277
+
MAX_FILE_SIZE=10*1024**2# 10MiB
278
+
MAX_FILES=100
279
+
Zip::File.open('foo.zip') do |zip_file|
280
+
num_files =0
281
+
zip_file.each do |entry|
282
+
num_files +=1if entry.file?
283
+
raise'Too many extracted files'if num_files >MAX_FILES
284
+
raise'File too large when extracted'if entry.size >MAX_FILE_SIZE
285
+
entry.extract
286
+
end
287
+
end
288
+
```
289
+
290
+
If you need to extract zip files that report incorrect uncompressed sizes and you really trust them not too be too large, you can disable this setting with
291
+
```ruby
292
+
Zip.validate_entry_sizes =false
293
+
```
294
+
295
+
Note that if you use the lower level `Zip::InputStream` interface, `rubyzip` does *not* check the entry `size`s. In this case, the caller is responsible for making sure it does not read more data than expected from the input stream.
296
+
297
+
### Default Compression
298
+
248
299
You can set the default compression level like so:
It defaults to `Zlib::DEFAULT_COMPRESSION`. Possible values are `Zlib::BEST_COMPRESSION`, `Zlib::DEFAULT_COMPRESSION` and `Zlib::NO_COMPRESSION`
255
306
256
-
Sometimes file names inside zip contain non-ASCII characters. If you can assume which encoding was used for such names and want to be able to find such entries using `find_entry` then you can force assumed encoding like so:
307
+
### Zip64 Support
308
+
309
+
By default, Zip64 support is disabled for writing. To enable it do this:
257
310
258
311
```ruby
259
-
Zip.force_entry_names_encoding='UTF-8'
312
+
Zip.write_zip64_support=true
260
313
```
261
314
262
-
Allowed encoding names are the same as accepted by `String#force_encoding`
315
+
_NOTE_: If you will enable Zip64 writing then you will need zip extractor with Zip64 support to extract archive.
316
+
317
+
### Block Form
263
318
264
319
You can set multiple settings at the same time by using a block:
265
320
@@ -272,14 +327,6 @@ You can set multiple settings at the same time by using a block:
272
327
end
273
328
```
274
329
275
-
By default, Zip64 support is disabled for writing. To enable it do this:
276
-
277
-
```ruby
278
-
Zip.write_zip64_support =true
279
-
```
280
-
281
-
_NOTE_: If you will enable Zip64 writing then you will need zip extractor with Zip64 support to extract archive.
0 commit comments