Christian Heimes <li...@cheimes.de> added the comment:

The suggested approach is merely a heuristic that reduces the impact of a 
zipbomb. An attacker can circumvent the heuristic. In best case scenario, the 
approach just increases the cost factor for a successful DoS. For example an 
attacker may have to upload 10 larger zip files instead of one smaller zip file 
to fill up the disk space of a server.

The correct approach is to always verify all data from untrusted sources. It's 
the 101 of application security.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue36260>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to