Issue #9 wontfix

ez_setup.py download and extraction flooding vulnerability

Christian Heimes
created an issue

ez_setup.download_setuptools() doesn't limit the amount of data that is downloaded with urllib. An attacker can forge a HTTP response with a large or even infinite file (e.g. netcat < /dev/zero). This can consume lots of memory or occupy lots of disk space on /tmp. src.read() should be limited to a sane value (e.g. 2-5 MB) and raise an error if more data is downloaded.

ez_setup._extractall() should be limited, too. It's open to zip decompression bomb vulnerability.

Comments (1)

  1. Jason R. Coombs

    I'm inclined to say this shouldn't be fixed. The updated code now prefers a secure download technique, leveraging system downloaders. These measures should be suitable to protect against most vectors that would employ download or extraction attacks. I say most because I can't prove there aren't viable vectors out there.

    In other words, I believe we've put reasonable safeguards in place to ensure the content is trusted.

    That said, if you believe the potential vulnerability is worth the investment, please do provide a pull request.

  2. Log in to comment