Might be fun to respond with one of these to malicious requests for &#x2F;.env, &#x2F;.git&#x2F;config and &#x2F;.aws&#x2F;credentials instead of politely returning 404s.

A few years ago David Fitfield invented a technique which provides a million-to-one non-recursive expansion, by overlapping the file streams: <a href="https:&#x2F;&#x2F;www.bamsoftware.com&#x2F;hacks&#x2F;zipbomb&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bamsoftware.com&#x2F;hacks&#x2F;zipbomb&#x2F;</a>

That&#x27;s not switched on by default unless you use a filesytsem like ZFS.

&gt; Now I read articles like this one talking about &quot;oh yeah Evolution filled up 100GB of space&quot; like that&#x27;s no big deal.Is this actually a practical issue though? Windows, Mac and Linux all support transparent compression at the filesystem level, so 100GB of &#x2F;dev&#x2F;zero isnt actually going to fill much space at all.

I&#x27;ve seen LLMs get into loops because they forgot what they were trying to do. For instance, I asked an LLM to write some code to search for certain types of wordplay, and it started making a word list (rather than writing code to pull in a standard dictionary), and then it got distracted and just kept listing words until it ran out of time.

One of the things that will likely _characterize_ AGI are nondeterministic loops.My bet is that if AGI is possible it will take a form that looks something like<pre><code> x_(n+1) = A * x_n (1 - x_n) 
</code></pre>
Where x is a billions long vector and the parameters in A (sizeof(x)^2 ?) are trained and also tuned to have period 3 or nearly period three for a meta-stable near chaotic progression of x.&quot;Period three implies chaos&quot; <a href="https:&#x2F;&#x2F;www.its.caltech.edu&#x2F;~matilde&#x2F;LiYorke.pdf" rel="nofollow">https:&#x2F;&#x2F;www.its.caltech.edu&#x2F;~matilde&#x2F;LiYorke.pdf</a>That is if AGI is possible at all without wetware.

I&#x27;d be curious if there&#x27;s an LLM prompt equivalent of a zip bomb that will explode the context window. I know there&#x27;s deterministic limits on context window, but future LLMs _are_ going to have strange loops and going to be very susceptible to circular reasoning.Before AGI, there will be a untenable gullible general intelligence.

Another fun one is the .zip or .tar.gz file that decompresses to itself: <a href="https:&#x2F;&#x2F;research.swtch.com&#x2F;zip" rel="nofollow">https:&#x2F;&#x2F;research.swtch.com&#x2F;zip</a>If you are processing emails for security reasons, and want to find viruses even if they are in archive files, it&#x27;s easy to write the code to &quot;just keep unarchiving until we&#x27;re out of things to unarchive&quot;, but not only can that lead to quite astonishing expansions, it can actually be a process that never terminates at all.I remember when I first read about these, and &quot;a small file that decompresses to a gigabyte&quot; was also &quot;a small file that decompresses to several multiples of your entire hard disk space&quot; and even servers couldn&#x27;t handle it. Now I read articles like this one talking about &quot;oh yeah Evolution filled up 100GB of space&quot; like that&#x27;s no big deal.If you have a recursive decompressor you can still make small files that uncompress to large amounts even by 2025 standards, because the symbols the compressor will use to represent &quot;as many zeros as I can have&quot; will themselves be redundant. The rule that you can&#x27;t compress already-compressed content doesn&#x27;t necessarily apply to these sorts of files.

I ran into one of these in the very early 00s; was working at a university (back in the days when a couple of people would run all the central servers, running Linux on beige PCs.) We had some anti-spam&#x2F;AV software that looked at every incoming email hooked into Postfix, and the server kept running out of disk space.Eventually tracked it down to an email which contained a zip of stock trading data – just the three letter stock code and the shift. It wasn&#x27;t malicious, it just had an extraordinarily high compression ratio!

I don&#x27;t think this was done on purpose. If the query string is &quot;?a=b&quot; that&#x27;s fine, and it&#x27;s used in the cache filename. But if the query string is &quot;?a&quot; then it&#x27;s excluded from the cache filename.Either way, the correct full URL is fetched with the full query string. It&#x27;s just how it&#x27;s cached that is affected.

&gt; it’s a good way to make an email that looks completely different depending on which client it’s opened in.Well, for that use the differences in HTML&amp;CSS support and filtering ...I guess the reason they added this was that they noticed many mails contain same tracking images and decided to cut of tracking data that way.

That Evolution mail caching behaviour is really sketchy. I wonder if it could be used for an exploit in the right scenario. If nothing else, it’s a good way to make an email that looks completely different depending on which client it’s opened in.

Not what you were asking for but my favorite valid image is exploit code as PNG image data. It&#x27;s just pixels in specific colors that, after compression, have the bytes in the file spell out something like &lt;script&gt;alert(1)&lt;&#x2F;script&gt;I consulted for a bank once where the server stripped metadata and re-encoded images from scratch again and the devs thought that would remove any maliciousness. It&#x27;s just pixels right? I might have thought so as well, but I had this idea and wanted to double check, and it didn&#x27;t take long to find someone smarter than me had already done the work: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20250713054441&#x2F;http:&#x2F;&#x2F;www.idontplaydarts.com&#x2F;2012&#x2F;06&#x2F;encoding-web-shells-in-png-idat-chunks&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20250713054441&#x2F;http:&#x2F;&#x2F;www.idontp...</a> (By now I see there are a dozen commercial parties that rank higher for this topic. Marginalia search helped me re-find the OG post just now)Edit, thought I should add: the solution is to specify the correct content type. Don&#x27;t let your PHP interpreter interpret files in the user uploads directory. Don&#x27;t serve images with content-type text&#x2F;html because the browser will interpret it as HTML (as instructed) and run any code inside on your domain (&#x27;origin&#x27;). Mark data as separate from code whenever possible, or escape it when that&#x27;s impossible

Deflate allows a maximum compression ratio of 1000:1 or thereabouts.Considering I’ve seen real world JPEGs above 300:1 (<a href="https:&#x2F;&#x2F;eoimages.gsfc.nasa.gov&#x2F;images&#x2F;imagerecords&#x2F;73000&#x2F;73909&#x2F;world.topo.bathy.200412.3x21600x21600.A2.jpg" rel="nofollow">https:&#x2F;&#x2F;eoimages.gsfc.nasa.gov&#x2F;images&#x2F;imagerecords&#x2F;73000&#x2F;739...</a>) I would not be surprised if you could craft a jpeg getting very close to or exceeding 4 digits.

There are some stupid tricks you can pull with image formats like emitting the headers for a gigantic image without including enough image data to actually encode the whole image. Most decoders will try to allocate a buffer up front (possibly as much as 16 GB for a 65535x65535 image!) before discovering that the image is truncated.The same trick works with PNG, actually. Possibly even better: it uses a pair of 32-bit integers for the resolution.

You can with PNG, but you have to set a high pixel resolution and most viewers have hard limits before it gets too crazy.

I don&#x27;t think you can do it with Jpeg, but you could probably do it with PNG which is basically using the same compression algorithm as zip.

So can you construct valid image that would also act as zip bomb?Jpeg and other lossy compression images should allow some of that, but dependens on compatibility of compression between gzip and image format.There is that example where you have &quot;zero image&quot; of big dimensions, but can you actually conflate gzip and image compression?

In addition to zip bombing AIs with file parsers, I&#x27;ve wondered about &#x27;context bombs&#x27; in the sense of trigger phrases that trip up LLMs into getting stuck into repeating phrases or reasoning evaluations without ever hitting an end of sequence (EOS) token, thus running a system up against API call limits &#x2F; burning credits &#x2F; effectively ddosing services etc.Due to the inherent fuzziness&#x2F;diversity in all models right now I don&#x27;t think there is a universal approach to this idea but it is something people deploying these systems may want to try and detect.

&gt; I&#x27;m sure there are zip-bomb equivalents in binary formats like .xlsx, PDF, .docx, etc.Yes. Both, docx and xlsx are literally just a zip of XML files with a different extension. PDF can contain zlib streams, which use deflate compression just as gzip, so all the mentioned methods apply to all three formats.

Hmm that reminds me, it idly crossed my mind recently about whether AIs with online RAG have decent zip-bomb protection. This thought was provoked when I realised Perplexity would find and download and (apparently) analyse spreadsheet content. I&#x27;m sure there are zip-bomb equivalents in binary formats like .xlsx, PDF, .docx, etc.

Isn&#x27;t that trivial to prevent zip bombs?

How does it work with Claws Mail&#x2F;Sylpheed?

Yet another reason to prevent emails from downloading stuff from remote servers...It appears that you can&#x27;t do these sorts of things with with CID embedded images...

Fun with gzip bombs and email clients