#36588: Harden `django.utils.archive` against decompression bombs
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
* cc: Jake Howard (added)
Comment:
Jake Howard said:
* This also highlights that we should probably document this explicitly.
If it's come up before, it's going to come up again. Getting some
agreement for how local development only vulnerabilities are classed will
help avoid a lot of future confusion. I'd suggest we put a warning on the
`--template` argument about using untrusted templates, not only for
extraction issues, but also because if they contain bad practices or
backdoors, the new project would contain them too.
* Python's built-ins have come a long way since this module was created,
and we could defer a lot of this work upstream. `zipfile` is probably safe
as-is at least for our use case, and `tarfile` has extraction filters
since 3.12 to mitigate much of the weirdness. We might even be able to use
`shutil.unpack_archive` entirely (more investigation needed).
--
Ticket URL: <https://code.djangoproject.com/ticket/36588#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/010701990b053a24-f43d36f2-bc6a-4173-bffd-7af46fc3de19-000000%40eu-central-1.amazonses.com.
