Ben Caller <bcal...@gmail.com> added the comment:
I've attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes. We need a 512 byte PAX format header block as normal. Then we need a pax header which matches the regex in https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1243 length, keyword = re.compile(br"(\d+) ([^=]+)=").groups() We use the `length` variable to iterate: https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1271 while True: ... pos += length So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever. Nice find. Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it. ---------- nosy: +bc Added file: https://bugs.python.org/file49309/recursion.tar _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue39017> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
