New submission from Nikolaus Rath: The zlib Decompress.decompress has a max_length parameter that limits the size of the returned uncompressed data.
The lzma and bz2 decompress methods do not have such a parameter. Therefore, it is not possible to decompress untrusted lzma or bz2 data without becoming susceptible to a DoS attack, as the attacker can force allocation of gigantic buffers by sending just a tiny amount of compressed data: $ dd if=/dev/zero bs=128k count=10k | bzip2 -9 > nasty.bz2 10240+0 records in 10240+0 records out 1342177280 bytes (1.3 GB) copied, 11.0892 s, 121 MB/s $ dir nasty.bz2 -rw-rw-r-- 1 nikratio nikratio 977 Apr 21 14:58 nasty.bz2 It would be great if the lzma and bz2 decompressor methods could also get a max_length parameters to make this situation less threatening. ---------- components: Library (Lib) messages: 187532 nosy: Nikratio priority: normal severity: normal status: open title: lzma and bz2 decompress methods lack max_size attribute type: behavior versions: Python 3.3, Python 3.4, Python 3.5 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17813> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com