New submission from Martin Panter: This is a patch I originally posted at Issue 15955, but am moving it to a separate issue so there is less confusion. GzipFile.read(<size>) etc is susceptible to decompression bombing. My patch tests and fixes that, making use of the existing “max_length” parameter in the “zlib” module.
The rest of Issue 15955 is about enhancing the bzip and LZMA modules to support limited decompression, but since the zlib module can already limit the decompressed data, I think this gzip patch should be considered as a bug fix rather than enhancement, e.g. the fix for Issue 16043 (gzip decoding for XML RPC module) assumed GzipFile.read(<size>) is limited. ---------- components: Library (Lib) files: gzip-bomb.patch keywords: patch messages: 236659 nosy: nikratio, vadmium priority: normal severity: normal status: open title: Limit decompressed data when reading from GzipFile type: behavior versions: Python 3.4, Python 3.5 Added file: http://bugs.python.org/file38243/gzip-bomb.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23528> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
