|
31 | 31 | of the Commons project</a>.</p> |
32 | 32 | </section> |
33 | 33 |
|
| 34 | + <section name="Security Model"> |
| 35 | + <p>Commons Compress may be used to process untrusted input data. |
| 36 | + Input may be read from the network when this is explicitly requested, |
| 37 | + but the processing of the compressed payload should not trigger |
| 38 | + additional network access, unbounded deserialization |
| 39 | + or code execution. It may require processing power proportional to |
| 40 | + the size of the input. An input causing an OutOfMemoryError, |
| 41 | + StackOverflowError, or another Error may be considered a DoS |
| 42 | + vulnerability when it is unexpected based on the size of the input |
| 43 | + and the resources (RAM, disk, etc) allocated to the process.</p> |
| 44 | + |
| 45 | + <p>Input causing any other RuntimeException is expected and not a |
| 46 | + vulnerability, but may be a regular bug when a more appropriate |
| 47 | + Exception is available</p> |
| 48 | + |
| 49 | + <p>Regular API parameters are typically designed to work with input |
| 50 | + that is either trusted or validated/sanitized by the application |
| 51 | + using the library unless otherwise specified, in accordance with |
| 52 | + the general <a href="https://commons.apache.org/security.html#Security_Model"> |
| 53 | + Apache Commons Security Model</a>.</p> |
| 54 | + </section> |
| 55 | + |
34 | 56 | <section name="Apache Commons Compress Security Vulnerabilities"> |
35 | 57 | <p>This page lists all security vulnerabilities fixed in |
36 | 58 | released versions of Apache Commons Compress. Each |
|
0 commit comments