gh-113977, gh-120754: Remove unbounded reads from zipfile (GH-122101)

GH-113977, GH-120754: Remove unbounded reads from zipfile Read without a size may read an unbounded amount of data + allocate unbounded size buffers. Move to capped size reads to prevent potential issues. Co-authored-by: Daniel Hillier <daniel.hillier@gmail.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
author: Cody Maloney <cmaloney@users.noreply.github.com> 2024-11-03 05:28:51 (GMT)
committer: GitHub <noreply@github.com> 2024-11-03 05:28:51 (GMT)
commit: 556dc9b8a78bad296513221f3f414a3f8fd0ae70 (patch)
tree: 610404e369536bded8094df5134c2428ddaed3b2 /Misc/NEWS.d
parent: 8161afe51c65afbf0332da58837d94975cec9f65 (diff)
download: cpython-556dc9b8a78bad296513221f3f414a3f8fd0ae70.zip
cpython-556dc9b8a78bad296513221f3f414a3f8fd0ae70.tar.gz
cpython-556dc9b8a78bad296513221f3f414a3f8fd0ae70.tar.bz2
1 files changed, 1 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2024-07-23-02-24-50.gh-issue-120754.nHb5mG.rst b/Misc/NEWS.d/next/Library/2024-07-23-02-24-50.gh-issue-120754.nHb5mG.rst
new file mode 100644
index 0000000..6c33e7b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-07-23-02-24-50.gh-issue-120754.nHb5mG.rst
@@ -0,0 +1 @@
+Update unbounded ``read`` calls in :mod:`zipfile` to specify an explicit ``size`` putting a limit on how much data they may read. This also updates handling around ZIP max comment size to match the standard instead of reading comments that are one byte too long.
author	Cody Maloney <cmaloney@users.noreply.github.com>	2024-11-03 05:28:51 (GMT)
committer	GitHub <noreply@github.com>	2024-11-03 05:28:51 (GMT)
commit	556dc9b8a78bad296513221f3f414a3f8fd0ae70 (patch)
tree	610404e369536bded8094df5134c2428ddaed3b2 /Misc/NEWS.d
parent	8161afe51c65afbf0332da58837d94975cec9f65 (diff)
download	cpython-556dc9b8a78bad296513221f3f414a3f8fd0ae70.zip cpython-556dc9b8a78bad296513221f3f414a3f8fd0ae70.tar.gz cpython-556dc9b8a78bad296513221f3f414a3f8fd0ae70.tar.bz2