Message339061
Issue #36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder.
I'm -1 to implement such a heuristic. The zipfile module is a low level module and should not limit extraction by defaykt. Instead we should improve documentation and maybe implement some method that simplifies detection of zipbomb attacks. I'm thinking about a method that returns total count of files, total compressed size and total uncompressed size. |
|
Date |
User |
Action |
Args |
2019-03-28 16:54:47 | christian.heimes | set | recipients:
+ christian.heimes, vstinner, 18z, xtreak, krnick |
2019-03-28 16:54:47 | christian.heimes | set | messageid: <1553792087.25.0.546401877063.issue36260@roundup.psfhosted.org> |
2019-03-28 16:54:47 | christian.heimes | link | issue36260 messages |
2019-03-28 16:54:47 | christian.heimes | create | |
|