[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py
Serhiy Storchaka
report at bugs.python.org
Thu Mar 28 12:16:59 EDT 2019
Serhiy Storchaka <storchaka+cpython at gmail.com> added the comment:
I do not think that the library should limit the compression ratio. Large compression ratio is legit. For example, compressed file of size 1 GiB consisting of zeros has the compress ratio 1030 (and I suppose it is even larger if use bzip2 or lzma compressions).
If this is a problem for your program, your program should make a decision what ZIP files should be rejected.
I suggest to close this issue as "not a bug".
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36462>
_______________________________________
More information about the Python-bugs-list
mailing list