[issue23528] Limit decompressed data when reading from GzipFile
Martin Panter
report at bugs.python.org
Thu Feb 26 11:22:07 CET 2015
New submission from Martin Panter:
This is a patch I originally posted at Issue 15955, but am moving it to a separate issue so there is less confusion. GzipFile.read(<size>) etc is susceptible to decompression bombing. My patch tests and fixes that, making use of the existing “max_length” parameter in the “zlib” module.
The rest of Issue 15955 is about enhancing the bzip and LZMA modules to support limited decompression, but since the zlib module can already limit the decompressed data, I think this gzip patch should be considered as a bug fix rather than enhancement, e.g. the fix for Issue 16043 (gzip decoding for XML RPC module) assumed GzipFile.read(<size>) is limited.
----------
components: Library (Lib)
files: gzip-bomb.patch
keywords: patch
messages: 236659
nosy: nikratio, vadmium
priority: normal
severity: normal
status: open
title: Limit decompressed data when reading from GzipFile
type: behavior
versions: Python 3.4, Python 3.5
Added file: http://bugs.python.org/file38243/gzip-bomb.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23528>
_______________________________________
More information about the Python-bugs-list
mailing list