[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size
STINNER Victor
report at bugs.python.org
Wed Jan 15 05:12:31 EST 2020
STINNER Victor <vstinner at python.org> added the comment:
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)?
The zipfile documentation now contains an explicit warning against ZIP bombs:
"""
Resources limitations
The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion.
"""
https://docs.python.org/dev/library/zipfile.html#resources-limitations
Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39341>
_______________________________________
More information about the Python-bugs-list
mailing list