Message339408
The suggested approach is merely a heuristic that reduces the impact of a zipbomb. An attacker can circumvent the heuristic. In best case scenario, the approach just increases the cost factor for a successful DoS. For example an attacker may have to upload 10 larger zip files instead of one smaller zip file to fill up the disk space of a server.
The correct approach is to always verify all data from untrusted sources. It's the 101 of application security. |
|
Date |
User |
Action |
Args |
2019-04-03 18:09:44 | christian.heimes | set | recipients:
+ christian.heimes, vstinner, serhiy.storchaka, 18z, xtreak, krnick, Victor Kung |
2019-04-03 18:09:44 | christian.heimes | set | messageid: <1554314984.69.0.632440529876.issue36260@roundup.psfhosted.org> |
2019-04-03 18:09:44 | christian.heimes | link | issue36260 messages |
2019-04-03 18:09:44 | christian.heimes | create | |
|