This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients Arfrever, christian.heimes, eric.araujo, martin.panter, nadeem.vawda, nikratio, pitrou, serhiy.storchaka, vstinner
Date 2014-09-10.07:11:21
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
If people are worried about the best low-level decompressor API, maybe leave that as a future enhancement, and just rely on using the existing file reader APIs. I would expect them to have a sensible decompressed buffer size limit, however “bzip2” and LZMA look susceptible to zip bombing:

>>> GzipFile(fileobj=gzip_bomb).read(1)
>>> BZ2File(bzip_bomb).read(1)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/", line 293, in read
    return self._read_block(size)
  File "/usr/lib/python3.4/", line 254, in _read_block
    while n > 0 and self._fill_buffer():
  File "/usr/lib/python3.4/", line 218, in _fill_buffer
    self._buffer = self._decompressor.decompress(rawblock)
>>> z = LZMAFile(lzma_bomb)
b'\x00'  # Slight delay before returning
>>> len(z._buffer)
55675075  # Decompressed much more data than I asked for
Date User Action Args
2014-09-10 07:11:22martin.pantersetrecipients: + martin.panter, pitrou, vstinner, christian.heimes, nadeem.vawda, eric.araujo, Arfrever, nikratio, serhiy.storchaka
2014-09-10 07:11:22martin.pantersetmessageid: <>
2014-09-10 07:11:22martin.panterlinkissue15955 messages
2014-09-10 07:11:21martin.pantercreate