Author vstinner
Recipients christian.heimes, rschiron, vstinner
Date 2020-01-15.10:12:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1579083151.37.0.581430727947.issue39341@roundup.psfhosted.org>
In-reply-to
Content
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)?

The zipfile documentation now contains an explicit warning against ZIP bombs:

"""
Resources limitations

The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion.
"""

https://docs.python.org/dev/library/zipfile.html#resources-limitations

Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260.
History
Date User Action Args
2020-01-15 10:12:31vstinnersetrecipients: + vstinner, christian.heimes, rschiron
2020-01-15 10:12:31vstinnersetmessageid: <1579083151.37.0.581430727947.issue39341@roundup.psfhosted.org>
2020-01-15 10:12:31vstinnerlinkissue39341 messages
2020-01-15 10:12:31vstinnercreate