New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py #80643
Comments
Dear Python Community, we found a python module vulnerability during these days and we got a CVE number, CVE-2019-9674 after reported it to cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674 The reserved information of CVE-2019-9674 is shown below:
Our proposed solutions:
Unsolved issue
Our solution code: """For ratio""" def _exam_ratio(self, threshold=10):
"""If the ratio exceeds threshold, it may be a ZIP Bomb."""
sum_file_size = sum([data.file_size for data in self.filelist])
sum_compress_size = sum([data.compress_size for data in self.filelist])
ratio = sum_file_size / sum_compress_size
if (ratio > threshold):
raise BadZipFile("Zip Bomb Detected") """For Nested zip file""" if(members.filename.endswith(".zip")): Thanks! |
I do not think that the library should limit the compression ratio. Large compression ratio is legit. For example, compressed file of size 1 GiB consisting of zeros has the compress ratio 1030 (and I suppose it is even larger if use bzip2 or lzma compressions). If this is a problem for your program, your program should make a decision what ZIP files should be rejected. I suggest to close this issue as "not a bug". |
Going by CVE number and report is this a duplicate of bpo-36260 ? |
Closing as a duplicate of bpo-36260. |
I would request closing the other one as duplicate and opening this since this contains the actual report or perhaps the report could be copied to bpo-36260. Since Serhiy suggested closing this as not a bug I will leave it to him on resolution of the other issue too. |
You can also leave a comment in the other issue saying there's more details On Thu, Mar 28, 2019 at 9:54 AM Karthikeyan Singaravelan <
|
Thanks to the python community, both of these issues are the same. I also think it's a good thing to make related documentation to reduce this type of problem rather than implementing it on a low-level zipfile module. Perhaps we can customize such a requirement through a pip package. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: