Message 339061 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	18z, christian.heimes, krnick, vstinner, xtreak
Date	2019-03-28.16:54:47
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1553792087.25.0.546401877063.issue36260@roundup.psfhosted.org>
In-reply-to

Content
Issue #36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder. I'm -1 to implement such a heuristic. The zipfile module is a low level module and should not limit extraction by defaykt. Instead we should improve documentation and maybe implement some method that simplifies detection of zipbomb attacks. I'm thinking about a method that returns total count of files, total compressed size and total uncompressed size.

Issue #36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder.

I'm -1 to implement such a heuristic. The zipfile module is a low level module and should not limit extraction by defaykt. Instead we should improve documentation and maybe implement some method that simplifies detection of zipbomb attacks. I'm thinking about a method that returns total count of files, total compressed size and total uncompressed size.

History
Date	User	Action	Args
2019-03-28 16:54:47	christian.heimes	set	recipients: + christian.heimes, vstinner, 18z, xtreak, krnick
2019-03-28 16:54:47	christian.heimes	set	messageid: <1553792087.25.0.546401877063.issue36260@roundup.psfhosted.org>
2019-03-28 16:54:47	christian.heimes	link	issue36260 messages
2019-03-28 16:54:47	christian.heimes	create