Message360037
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)?
The zipfile documentation now contains an explicit warning against ZIP bombs:
"""
Resources limitations
The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion.
"""
https://docs.python.org/dev/library/zipfile.html#resources-limitations
Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260. |
|
Date |
User |
Action |
Args |
2020-01-15 10:12:31 | vstinner | set | recipients:
+ vstinner, christian.heimes, rschiron |
2020-01-15 10:12:31 | vstinner | set | messageid: <1579083151.37.0.581430727947.issue39341@roundup.psfhosted.org> |
2020-01-15 10:12:31 | vstinner | link | issue39341 messages |
2020-01-15 10:12:31 | vstinner | create | |
|