I didn't think of it at first but I see 2 ways to do it: - limit resources available with the resource module. Is there any other parts of Django using this technique? - use the zlib module instead of the gzip one with a max_size in the decompress function. A pattern could be to require the Content-Length of the request to be equal to the uncompress size and use it as the max_size argument to be more dynamic, or just to set an arbitrary max_size. It will involve more work than just using the gzip module though.
On Sunday, May 26, 2013 9:23:55 PM UTC+9, Mikhail Korobov wrote: > > Request decompression looks scary: how are you going to implement > protection against zip bombs (http://en.wikipedia.org/wiki/Zip_bomb)? See > also: http://bugs.python.org/issue16043 > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
