Author christian.heimes
Recipients 18z, christian.heimes, krnick, vstinner, xtreak
Date 2019-03-28.16:54:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1553792087.25.0.546401877063.issue36260@roundup.psfhosted.org>
In-reply-to
Content
Issue #36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder.

I'm -1 to implement such a heuristic. The zipfile module is a low level module and should not limit extraction by defaykt. Instead we should improve documentation and maybe implement some method that simplifies detection of zipbomb attacks. I'm thinking about a method that returns total count of files, total compressed size and total uncompressed size.
History
Date User Action Args
2019-03-28 16:54:47christian.heimessetrecipients: + christian.heimes, vstinner, 18z, xtreak, krnick
2019-03-28 16:54:47christian.heimessetmessageid: <1553792087.25.0.546401877063.issue36260@roundup.psfhosted.org>
2019-03-28 16:54:47christian.heimeslinkissue36260 messages
2019-03-28 16:54:47christian.heimescreate