Author krnick
Recipients 18z, christian.heimes, krnick, serhiy.storchaka, vstinner, xtreak
Date 2019-04-02.06:14:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1554185677.48.0.524260201568.issue36260@roundup.psfhosted.org>
In-reply-to
Content
Hello Python community,

With Christian Heimes’ suggestion, we manipulate appropriate warning to inform users that they may encounter zip bomb issues when using the zipfile module.

The warning we would like to add in the zipfile documentation is shown below : 

https://github.com/python/cpython/blob/3.7/Doc/library/zipfile.rst

   .. warning::

    Never extract files from untrusted sources without prior 
    inspection. It is possible that the file may contain zip bomb 
    issues such as 42.zip. The zip bomb will usually be a small file 
    before decompression, but once it is decompressed, it will 
    exhaust system resources.

You can protect your system by limiting system resources, limiting compression ratio (zip bombs are usually quite high), and checking for nested zip files. 

We are also pleasure to provide a patch to enhance the zipfile module to provide basic information.

In zipfile.py

https://github.com/python/cpython/blob/master/Lib/zipfile.py

Inside the ZipFile class : 


def filecount(self):                                                                                         
    """Return total count of files in the archive."""                                                        
    return len(self.filelist)                                                                                
                                                                                                                 
def total_compressed_size(self):                                                                             
    """Return total compressed size in the archive."""                                                       
    return sum([data.compress_size for data in self.filelist])                                               
                                                                                                                 
def total_uncompressed_size(self):                                                                           
    """Return total uncompressed size in the archive."""                                                     
    return sum([data.file_size for data in self.filelist])
History
Date User Action Args
2019-04-02 06:14:37krnicksetrecipients: + krnick, vstinner, christian.heimes, serhiy.storchaka, 18z, xtreak
2019-04-02 06:14:37krnicksetmessageid: <1554185677.48.0.524260201568.issue36260@roundup.psfhosted.org>
2019-04-02 06:14:37krnicklinkissue36260 messages
2019-04-02 06:14:37krnickcreate