[issue36260] Cpython/Lib vulnerability found and request a patch submission
JUN-WEI SONG
report at bugs.python.org
Tue Apr 2 02:14:37 EDT 2019
JUN-WEI SONG <sungboss2004 at gmail.com> added the comment:
Hello Python community,
With Christian Heimes’ suggestion, we manipulate appropriate warning to inform users that they may encounter zip bomb issues when using the zipfile module.
The warning we would like to add in the zipfile documentation is shown below :
https://github.com/python/cpython/blob/3.7/Doc/library/zipfile.rst
.. warning::
Never extract files from untrusted sources without prior
inspection. It is possible that the file may contain zip bomb
issues such as 42.zip. The zip bomb will usually be a small file
before decompression, but once it is decompressed, it will
exhaust system resources.
You can protect your system by limiting system resources, limiting compression ratio (zip bombs are usually quite high), and checking for nested zip files.
We are also pleasure to provide a patch to enhance the zipfile module to provide basic information.
In zipfile.py
https://github.com/python/cpython/blob/master/Lib/zipfile.py
Inside the ZipFile class :
def filecount(self):
"""Return total count of files in the archive."""
return len(self.filelist)
def total_compressed_size(self):
"""Return total compressed size in the archive."""
return sum([data.compress_size for data in self.filelist])
def total_uncompressed_size(self):
"""Return total uncompressed size in the archive."""
return sum([data.file_size for data in self.filelist])
----------
resolution: -> remind
status: closed -> open
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36260>
_______________________________________
More information about the Python-bugs-list
mailing list