This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2013年04月21日 22:05 by nikratio, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Messages (1) | |||
|---|---|---|---|
| msg187532 - (view) | Author: Nikolaus Rath (nikratio) * | Date: 2013年04月21日 22:05 | |
The zlib Decompress.decompress has a max_length parameter that limits the size of the returned uncompressed data. The lzma and bz2 decompress methods do not have such a parameter. Therefore, it is not possible to decompress untrusted lzma or bz2 data without becoming susceptible to a DoS attack, as the attacker can force allocation of gigantic buffers by sending just a tiny amount of compressed data: $ dd if=/dev/zero bs=128k count=10k | bzip2 -9 > nasty.bz2 10240+0 records in 10240+0 records out 1342177280 bytes (1.3 GB) copied, 11.0892 s, 121 MB/s $ dir nasty.bz2 -rw-rw-r-- 1 nikratio nikratio 977 Apr 21 14:58 nasty.bz2 It would be great if the lzma and bz2 decompressor methods could also get a max_length parameters to make this situation less threatening. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:44 | admin | set | github: 62013 |
| 2013年04月24日 10:58:10 | ezio.melotti | set | status: open -> closed stage: resolved |
| 2013年04月21日 22:09:34 | serhiy.storchaka | set | superseder: bz2, lzma: add option to limit output size resolution: duplicate |
| 2013年04月21日 22:05:19 | nikratio | set | title: lzma and bz2 decompress methods lack max_size attribute -> lzma and bz2 decompress methods lack max_size parameter |
| 2013年04月21日 22:05:07 | nikratio | create | |