[Python-Dev] "*zip-bomb" via codecs

Serhiy Storchaka storchaka at gmail.com
Fri Nov 15 00:30:22 CET 2013

It is possible make a DDoS using the fact that codecs registry provides 
access to gzip and bzip2 decompressor. Someone can send HTTP request or 
email message with specified "gzip_codec" or "bzip2_codec" as content 
encoding and great well compressed gzip- or bzip2-file as a content. 
Naive server will use the bytes.decode() method to decompress a content. 
It is possible to create small compressed files which require very much 
time and memory to decompress. Of course bytes.decode() will fail 
becouse decoder returns bytes instead string, but time and memory are 
already wasted.

I have no working example but I'm sure it will be easy to create it. I 
suspect many services will be vulnerable for this attack.

Simple solution for this problem is check any foreign encoding that it 
is conteined in a special set of safe encodings. But every program 
should check it explicitly. For more general solution bytes.decode() 
should reject encoding *before* starting of decoding. I.e. either all 
bytes->str decoders should be registered in separated registry, or all 
codecs should have additional attributes which determines input and 
output type.

More information about the Python-Dev mailing list