[issue36260] Cpython/Lib vulnerability found and request a patch submission
Christian Heimes
report at bugs.python.org
Thu Mar 28 12:54:47 EDT 2019
Christian Heimes <lists at cheimes.de> added the comment:
Issue #36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder.
I'm -1 to implement such a heuristic. The zipfile module is a low level module and should not limit extraction by defaykt. Instead we should improve documentation and maybe implement some method that simplifies detection of zipbomb attacks. I'm thinking about a method that returns total count of files, total compressed size and total uncompressed size.
----------
nosy: +christian.heimes
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36260>
_______________________________________
More information about the Python-bugs-list
mailing list