mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-11-24 07:23:22 -07:00
Code Issues Actions Packages Projects Releases Wiki Activity

handle zip bombs

Browse source
This commit is contained in:
AppleTheGolden 2025-10-11 19:19:38 +02:00
parent f514de44f6
commit 9b0c14ddf6
No known key found for this signature in database
GPG key ID: F6AC8A62154C42AA
1 changed files with 3 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
copyparty/httpcli.py
View file

@ -1554,10 +1554,12 @@ class HttpCli(object):
try: try:
with zipfile.ZipFile(abspath, "r") as zf: with zipfile.ZipFile(abspath, "r") as zf:
zi = zf.getinfo(inner_path) zi = zf.getinfo(inner_path)
if zi.file_size >= maxsz:
raise Pebkac(404, "zip bomb defused")
with zf.open(zi, "r") as fi: with zf.open(zi, "r") as fi:
self.send_headers(length=zi.file_size, mime=guess_mime(inner_path)) self.send_headers(length=zi.file_size, mime=guess_mime(inner_path))
remains = sendfile_py( sendfile_py(
self.log, 0, zi.file_size, self.log, 0, zi.file_size,
fi, fi,
self.s, self.s,
@ -1567,20 +1569,6 @@ class HttpCli(object):
{}, {},
"", "",
) )
# fd, ret = tempfile.mkstemp("." + inner_path.rsplit(".", 1)[0])
# fsz = 0
# with os.fdopen(fd, "wb") as fo:
#
# while True:
# buf = fi.read(32768)
# if not buf:
# break
#
# fsz += len(buf)
# if fsz > maxsz:
# raise Exception("zipbomb defused")
#
# fo.write(buf)
except KeyError: except KeyError:
raise Pebkac(404, "no such file in archive") raise Pebkac(404, "no such file in archive")
except (zipfile.BadZipfile, RuntimeError): except (zipfile.BadZipfile, RuntimeError):