0

I'm building an application where users will be able to upload files and I'll need to extract them on my server. I'm concerned about the multiple security vulnerabilities this could suppose.

This answer poses a question similar to mine, but only seems to address relative file extraction.

I haven't found any information relative to zip and tar.gz files with respect to size bombs (also known as gzip). Should I handle that case manually checking the size before extracting? That looks dangerous for someone not aware of such vulnerability.

The final question is: Is there any updated information with respect to safely handling zip and tar.gz files, specially taking into account the two previous sources of vulnerabilities? Do I also wonder if there is any other concern not mentioned in this post that I'm not aware about that could pose a security treat.

This question is asked from the Python perspective, but other information relative to safely handling those files with unix tools are welcome.

I've also found relevant information to extracting tar files here.

Josep
  • 676
  • 2
  • 8
  • 14
  • I think [another question](https://stackoverflow.com/q/2712173) with [answers](https://stackoverflow.com/a/11721660/6620967) will help you! – b1oki Jul 04 '19 at 10:32
  • This is in the line of what I'm looking for, but from a broader point of view. Maybe a Python library with a size limit that uncompresses any kind of files? My real-problem here requires me to generate a list of shell commands to handle the uncompression and post-processing of the files. I cannot create commands on previous of shell execution, I can only append that information from python directly and I'm reticent on on having to use a subproccess. But that is a little bit too much out of the scope of the question. – Josep Jul 04 '19 at 11:06

0 Answers0