Message 339408 - Python tracker (original) (raw)

Message339408

Author	christian.heimes
Recipients	18z, Victor Kung, christian.heimes, krnick, serhiy.storchaka, vstinner, xtreak
Date	2019-04-03.18:09:44
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	1554314984.69.0.632440529876.issue36260@roundup.psfhosted.org
In-reply-to

Content
The suggested approach is merely a heuristic that reduces the impact of a zipbomb. An attacker can circumvent the heuristic. In best case scenario, the approach just increases the cost factor for a successful DoS. For example an attacker may have to upload 10 larger zip files instead of one smaller zip file to fill up the disk space of a server. The correct approach is to always verify all data from untrusted sources. It's the 101 of application security.

Content

The suggested approach is merely a heuristic that reduces the impact of a zipbomb. An attacker can circumvent the heuristic. In best case scenario, the approach just increases the cost factor for a successful DoS. For example an attacker may have to upload 10 larger zip files instead of one smaller zip file to fill up the disk space of a server. The correct approach is to always verify all data from untrusted sources. It's the 101 of application security.

History
Date	User	Action	Args
2019-04-03 18:09:44	christian.heimes	set	recipients: + christian.heimes, vstinner, serhiy.storchaka, 18z, xtreak, krnick, Victor Kung
2019-04-03 18:09:44	christian.heimes	set	messageid: 1554314984.69.0.632440529876.issue36260@roundup.psfhosted.org
2019-04-03 18:09:44	christian.heimes	link	issue36260 messages
2019-04-03 18:09:44	christian.heimes	create