Bug report
Bug description:
Just found this vulnerability in the latest Python 3.11.5 (and previous 3.10.10).
If we craft a zipbomb using the "quoted-overlap" way (as mentioned https://www.bamsoftware.com/hacks/zipbomb/), this can't be detected by Python's zip file and the zip will be extracted and thus potentially cause a DoS attack by consuming all the storage.
This issue is related to CVE-2019-9674 but not the same. CVE-2019-9674 is talking about the "normal" overlap-zipbomb which is a "full" overlap. This can already be detected by Python's new version of zipfile. However, when we craft a "quoted-overlap" zip, as indicated by https://www.bamsoftware.com/hacks/zipbomb/, python can't detect and happily starts to extract.
For example, the following is the python to extract a zip file, 116 KB before extraction, goes to as large as 17GB after extraction. The size after extraction can be easily increased to multi TBs or even PBs by adjusting the zip-creation.
import zipfile
import sys
import os
def extract_zip(zip_path):
"""
Extracts the contents of a ZIP file to the current directory.
:param zip_path: Path to the ZIP file
"""
if not os.path.exists(zip_path):
print(f"Error: {zip_path} does not exist.")
return
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
zip_ref.extractall()
print(f"Extracted contents of {zip_path} to the current directory.")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python extract_zip.py <path_to_zip_file>")
sys.exit(1)
zip_file_path = sys.argv[1]
extract_zip(zip_file_path)CPython versions tested on:
3.11
Operating systems tested on:
Linux
Linked PRs
Bug report
Bug description:
Just found this vulnerability in the latest Python 3.11.5 (and previous 3.10.10).
If we craft a zipbomb using the "quoted-overlap" way (as mentioned https://www.bamsoftware.com/hacks/zipbomb/), this can't be detected by Python's zip file and the zip will be extracted and thus potentially cause a DoS attack by consuming all the storage.
This issue is related to CVE-2019-9674 but not the same. CVE-2019-9674 is talking about the "normal" overlap-zipbomb which is a "full" overlap. This can already be detected by Python's new version of zipfile. However, when we craft a "quoted-overlap" zip, as indicated by https://www.bamsoftware.com/hacks/zipbomb/, python can't detect and happily starts to extract.
For example, the following is the python to extract a zip file, 116 KB before extraction, goes to as large as 17GB after extraction. The size after extraction can be easily increased to multi TBs or even PBs by adjusting the zip-creation.
CPython versions tested on:
3.11
Operating systems tested on:
Linux
Linked PRs