#36588: Harden `django.utils.archive` against decompression bombs
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Utilities
Version: dev | Severity: Normal
Keywords: archive | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The `django.utils.archive` module is an internal utility used by
`startapp` and `startproject` when the `--template` option is provided.
The current implementation does not impose limits on extracted file size,
file count, or decompression time. This makes it possible for a crafted
archive to consume excessive resources.
''Thanks to "junfuchong (chongfujun)" for the report.''
This is not considered a security issue under Django's policy because:
* The module is undocumented and only used in local development commands.
* Our policy excludes issues that affect only local dev, and these
commands are not intended to run on untrusted archives in production.
Still, adding safeguards (such as maximum size or file count limits) would
make the code more robust and user-friendly. This ticket tracks such
hardening work after a conversation held within the Security Team.
--
Ticket URL: <https://code.djangoproject.com/ticket/36588>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/010701990b044414-7c7e44fd-be86-4d9c-b0ac-b3c123fcd4b6-000000%40eu-central-1.amazonses.com.
