[New-bugs-announce] [issue17813] lzma and bz2 decompress methods lack max_size attribute
Nikolaus Rath
report at bugs.python.org
Mon Apr 22 00:05:07 CEST 2013
New submission from Nikolaus Rath:
The zlib Decompress.decompress has a max_length parameter that limits the size of the returned uncompressed data.
The lzma and bz2 decompress methods do not have such a parameter.
Therefore, it is not possible to decompress untrusted lzma or bz2 data without becoming susceptible to a DoS attack, as the attacker can force allocation of gigantic buffers by sending just a tiny amount of compressed data:
$ dd if=/dev/zero bs=128k count=10k | bzip2 -9 > nasty.bz2
10240+0 records in
10240+0 records out
1342177280 bytes (1.3 GB) copied, 11.0892 s, 121 MB/s
$ dir nasty.bz2
-rw-rw-r-- 1 nikratio nikratio 977 Apr 21 14:58 nasty.bz2
It would be great if the lzma and bz2 decompressor methods could also get a max_length parameters to make this situation less threatening.
----------
components: Library (Lib)
messages: 187532
nosy: Nikratio
priority: normal
severity: normal
status: open
title: lzma and bz2 decompress methods lack max_size attribute
type: behavior
versions: Python 3.3, Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17813>
_______________________________________
More information about the New-bugs-announce
mailing list