[Python-Dev] "*zip-bomb" via codecs
Serhiy Storchaka
storchaka at gmail.com
Fri Nov 15 00:30:22 CET 2013
It is possible make a DDoS using the fact that codecs registry provides
access to gzip and bzip2 decompressor. Someone can send HTTP request or
email message with specified "gzip_codec" or "bzip2_codec" as content
encoding and great well compressed gzip- or bzip2-file as a content.
Naive server will use the bytes.decode() method to decompress a content.
It is possible to create small compressed files which require very much
time and memory to decompress. Of course bytes.decode() will fail
becouse decoder returns bytes instead string, but time and memory are
already wasted.
I have no working example but I'm sure it will be easy to create it. I
suspect many services will be vulnerable for this attack.
Simple solution for this problem is check any foreign encoding that it
is conteined in a special set of safe encodings. But every program
should check it explicitly. For more general solution bytes.decode()
should reject encoding *before* starting of decoding. I.e. either all
bytes->str decoders should be registered in separated registry, or all
codecs should have additional attributes which determines input and
output type.
More information about the Python-Dev
mailing list