diff options
author | JinWang An <jinwang.an@samsung.com> | 2023-06-22 11:05:32 +0900 |
---|---|---|
committer | JinWang An <jinwang.an@samsung.com> | 2023-06-22 11:09:01 +0900 |
commit | bdd7f771dbaa3bef15b130333b5a6278da0826c4 (patch) | |
tree | 9846347743bf5b0b915374a28e875cd4b9e033f2 | |
parent | f7190d43be29ec231c4f8b878748503f79056d91 (diff) | |
download | python-accepted/tizen_6.0_base_tool.tar.gz python-accepted/tizen_6.0_base_tool.tar.bz2 python-accepted/tizen_6.0_base_tool.zip |
[CVE-2019-9674] bpo-36258: Add pitfalls to zipfile module documentationsubmit/tizen_6.0_base/20230622.055327accepted/tizen/6.0/base/tool/20230625.221407accepted/tizen/6.0/base/20230713.143017tizen_6.0_baseaccepted/tizen_6.0_base_toolaccepted/tizen_6.0_base
We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
This gave us the idea of documentation improvement.
So, we moved a little bit forward :P
And the doc patch can be found (pr).
Change-Id: Ib91b006010ce69b5a49525cb2c27a3ea1bdb7ec6
Signed-off-by: JinWang An <jinwang.an@samsung.com>
-rw-r--r-- | Doc/library/zipfile.rst | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index ba613b3..77a29fb 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -553,5 +553,45 @@ Command-line options Test whether the zipfile is valid or not. +Decompression pitfalls +---------------------- + +The extraction in zipfile module might fail due to some pitfalls listed below. + +From file itself +~~~~~~~~~~~~~~~~ + +Decompression may fail due to incorrect password / CRC checksum / ZIP format or +unsupported compression method / decryption. + +File System limitations +~~~~~~~~~~~~~~~~~~~~~~~ + +Exceeding limitations on different file systems can cause decompression failed. +Such as allowable characters in the directory entries, length of the file name, +length of the pathname, size of a single file, and number of files, etc. + +Resources limitations +~~~~~~~~~~~~~~~~~~~~~ + +The lack of memory or disk volume would lead to decompression +failed. For example, decompression bombs (aka `ZIP bomb`_) +apply to zipfile library that can cause disk volume exhaustion. + +Interruption +~~~~~~~~~~~~ + +Interruption during the decompression, such as pressing control-C or killing the +decompression process may result in incomplete decompression of the archive. + +Default behaviors of extraction +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Not knowing the default extraction behaviors +can cause unexpected decompression results. +For example, when extracting the same archive twice, +it overwrites files without asking. + +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT |