[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-05-02 Thread JUN-WEI SONG
JUN-WEI SONG added the comment: Thank you very much for your reply. Based on discussions above, consensuses are improving the zipfile documentation. And we (JUN-WEI SONG & KunYu Chen) would like to work on this. With opinions of Serhiy Storchaka, Christian Heimes and the ideas we

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-04-07 Thread Victor Kung
Victor Kung added the comment: I see. @Christian Heimes Thank you for the response. -- ___ Python tracker ___ ___

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-04-03 Thread Christian Heimes
Christian Heimes added the comment: The suggested approach is merely a heuristic that reduces the impact of a zipbomb. An attacker can circumvent the heuristic. In best case scenario, the approach just increases the cost factor for a successful DoS. For example an attacker may have to

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-04-03 Thread Victor Kung
Victor Kung added the comment: Hello Python community, I’m curious why the patch or pitfall prevention in ZipFile are not suggested. I have no idea if everyone read documentation in detail. It seems straightforward to add the methods in ZipFile with well documented rather than just warn in

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-04-02 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: I am against such trivial methods in ZipFile. Its interface is already complicate. The advantage of Python is that you do not need tons of methods for every possible query -- you can just combine few Python features into a one-line expression. As for the

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-04-02 Thread JUN-WEI SONG
JUN-WEI SONG added the comment: Hello Python community, With Christian Heimes’ suggestion, we manipulate appropriate warning to inform users that they may encounter zip bomb issues when using the zipfile module. The warning we would like to add in the zipfile documentation is shown below :

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-28 Thread KunYu Chen
KunYu Chen added the comment: Thank you for the responses. I agree with Christian Heimes. It's indeed better to improve the documentation rather than directly implement the heuristic. -- ___ Python tracker

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-28 Thread JUN-WEI SONG
JUN-WEI SONG added the comment: Thank you python community, these two issues are indeed the same problem. I also think that it is good to make a related document to reduce such problems. -- stage: -> resolved status: -> closed ___ Python tracker

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-28 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: All these are simple one-liners: len(zf.infolist()) sum(zi.compress_size for zi in zf.infolist()) sum(zi.file_size for zi in zf.infolist()) -- nosy: +serhiy.storchaka ___ Python tracker

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-28 Thread Christian Heimes
Christian Heimes added the comment: Issue #36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder. I'm -1 to implement such a heuristic. The zipfile module is a low level

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-12 Thread KunYu Chen
KunYu Chen added the comment: Thank you Karthikeyan Singaravelan. We're working on it :D Kunyu Chen -- ___ Python tracker ___ ___

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-11 Thread STINNER Victor
Change by STINNER Victor : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-11 Thread Karthikeyan Singaravelan
Karthikeyan Singaravelan added the comment: You can find the process to report security vulnerabilities at https://www.python.org/news/security/ . Please email the details to secur...@python.org and who will analyze the report before public disclosure. -- nosy: +xtreak

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-11 Thread KunYu Chen
KunYu Chen added the comment: Dear community, I am one of the discoverer of this vulnerability, please tell us what to do next :D Kunyu Chen -- nosy: +18z ___ Python tracker

[issue36260] Cpython/Lib vulnerability found and request a patch submission

2019-03-11 Thread Nick Sung
New submission from Nick Sung : Dear Python Community, We’ve found a vulnerability in cpython Lib and already received a cve number (CVE-2019-9674) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674 We also have a patch for this vulnerability, please tell us what to do next. Since