From bdd7f771dbaa3bef15b130333b5a6278da0826c4 Mon Sep 17 00:00:00 2001 From: JinWang An Date: Thu, 22 Jun 2023 11:05:32 +0900 Subject: [PATCH] [CVE-2019-9674] bpo-36258: Add pitfalls to zipfile module documentation We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. This gave us the idea of documentation improvement. So, we moved a little bit forward :P And the doc patch can be found (pr). Change-Id: Ib91b006010ce69b5a49525cb2c27a3ea1bdb7ec6 Signed-off-by: JinWang An --- Doc/library/zipfile.rst | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index ba613b3..77a29fb 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -553,5 +553,45 @@ Command-line options Test whether the zipfile is valid or not. +Decompression pitfalls +---------------------- + +The extraction in zipfile module might fail due to some pitfalls listed below. + +From file itself +~~~~~~~~~~~~~~~~ + +Decompression may fail due to incorrect password / CRC checksum / ZIP format or +unsupported compression method / decryption. + +File System limitations +~~~~~~~~~~~~~~~~~~~~~~~ + +Exceeding limitations on different file systems can cause decompression failed. +Such as allowable characters in the directory entries, length of the file name, +length of the pathname, size of a single file, and number of files, etc. + +Resources limitations +~~~~~~~~~~~~~~~~~~~~~ + +The lack of memory or disk volume would lead to decompression +failed. For example, decompression bombs (aka `ZIP bomb`_) +apply to zipfile library that can cause disk volume exhaustion. + +Interruption +~~~~~~~~~~~~ + +Interruption during the decompression, such as pressing control-C or killing the +decompression process may result in incomplete decompression of the archive. + +Default behaviors of extraction +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Not knowing the default extraction behaviors +can cause unexpected decompression results. +For example, when extracting the same archive twice, +it overwrites files without asking. + +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT -- 2.7.4