Martin Panter added the comment:
If people are worried about the best low-level decompressor API, maybe leave
that as a future enhancement, and just rely on using the existing file reader
APIs. I would expect them to have a sensible decompressed buffer size limit,
however “bzip2” and LZMA look susceptible to zip bombing:
>>> GzipFile(fileobj=gzip_bomb).read(1)
b'\x00'
>>> BZ2File(bzip_bomb).read(1)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.4/bz2.py", line 293, in read
return self._read_block(size)
File "/usr/lib/python3.4/bz2.py", line 254, in _read_block
while n > 0 and self._fill_buffer():
File "/usr/lib/python3.4/bz2.py", line 218, in _fill_buffer
self._buffer = self._decompressor.decompress(rawblock)
MemoryError
>>> z = LZMAFile(lzma_bomb)
>>> z.read(1)
b'\x00' # Slight delay before returning
>>> len(z._buffer)
55675075 # Decompressed much more data than I asked for
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue15955>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
