libwww-perl / HTTP-Message

The HTTP-Message distribution contains classes useful for representing the messages passed in HTTP style communication.

Home Page:https://metacpan.org/pod/HTTP::Message

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

t/message-decode-zipbomb.t fails on Oracle Linux docker images

q84fh opened this issue · comments

Hello,
I've noticed that during installation on Oracle Linux docker image 7.9 and 8 t/message-decode-zipbomb.t test fails with:

#   Failed test 'We die when trying to decode something larger than our global limit of 512k'
#   at t/message-decode-zipbomb.t line 75.
#          got: '1'
#     expected: undef
# ... using Compress::Raw::Zlib version 2.061

#   Failed test 'We die when trying to decode something larger than our limit of 512k using a parameter'
#   at t/message-decode-zipbomb.t line 96.
#          got: '1'
#     expected: undef
# ... using Compress::Raw::Zlib version 2.061
# Looks like you failed 2 tests of 9.
t/message-decode-zipbomb.t ..... 

Steps to reproduce:

docker run --rm -it oraclelinux:7.9 bash -c 'yum -y install perl-App-cpanminus && cpanm HTTP::Message'

I've also tested in on latest Debian image and test passes:

docker run --rm -it debian:latest bash -c 'apt update && apt -y install cpanminus && cpanm HTTP::Message'

I've also noticed similar error detected by cpantesters - maybe it is related.

I've tested following distributions:

image perl version result
oraclelinux:7.9 5.16.3 FAIL
oraclelinux:8 5.26.3 FAIL
debian:latest 5.32.1 OK

It seems that the (ages old) version 2.061 of Compress::Raw::Zlib doesn't support the maximum sizes. Either you make 2.062 a hard prerequisite, or we can skip the tests on the lower versions. That lulls the users in false security though, since the features then simply don't work.

v6.44 is now on its way to CPAN.

Big thanks! Really appreciate fast merge and release!

Thanks for reporting and fixing this, @q84fh! 🚀