My question is simple: how do I make sure (or prevent) a user from uploading an archive that upon extraction fills the entire disc space (a so-called ZipBomb)? I am using PHP.
Before extracting your archive, use the PHP Zip library functions to ensure that, when extracted, the contents fall within a total size limit.
For example:
$zip = zip_open('uploaded.zip');
$file = zip_read($zip);
$totalsize = 0;
while ($file) {
$totalsize += zip_entry_filesize($file);
$file = zip_read($zip); // read next file
}
zip_close($zip);
if ($totalsize > SIZE_LIMIT) {
// not allowed!
}