Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Description
Bug report
Bug description:
Just found this vulnerability in the latest Python 3.11.5 (and previous 3.10.10).
If we craft a zipbomb using the "quoted-overlap" way (as mentionedhttps://www.bamsoftware.com/hacks/zipbomb/), this can't be detected by Python's zip file and the zip will be extracted and thus potentially cause a DoS attack by consuming all the storage.
This issue is related toCVE-2019-9674 but not the same.CVE-2019-9674 is talking about the "normal" overlap-zipbomb which is a "full" overlap. This can already be detected by Python's new version of zipfile. However, when we craft a "quoted-overlap" zip, as indicated byhttps://www.bamsoftware.com/hacks/zipbomb/, python can't detect and happily starts to extract.
For example, the following is the python to extract a zip file, 116 KB before extraction, goes to as large as 17GB after extraction. The size after extraction can be easily increased to multi TBs or even PBs by adjusting the zip-creation.
importzipfileimportsysimportosdefextract_zip(zip_path):""" Extracts the contents of a ZIP file to the current directory. :param zip_path: Path to the ZIP file """ifnotos.path.exists(zip_path):print(f"Error:{zip_path} does not exist.")returnwithzipfile.ZipFile(zip_path,'r')aszip_ref:zip_ref.extractall()print(f"Extracted contents of{zip_path} to the current directory.")if__name__=="__main__":iflen(sys.argv)!=2:print("Usage: python extract_zip.py <path_to_zip_file>")sys.exit(1)zip_file_path=sys.argv[1]extract_zip(zip_file_path)
CPython versions tested on:
3.11
Operating systems tested on:
Linux
Linked PRs
- gh-109858: Protect zipfile from "quoted-overlap" zipbomb #110016
- [3.12] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) #113912
- [3.11] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) #113913
- [3.10] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) #113914
- [3.9] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) #113915
- [3.8] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) #113916
- Add @requires_zlib() decorator for gh-109858 tests #113918
Metadata
Metadata
Assignees
Labels
Projects
Status
Status