[Django] #36588: Harden `django.utils.archive` against decompression bombs
5 views
Skip to first unread message
Django
Sep 2, 2025, 11:21:00 AM (5 days ago) Sep 2
to django-...@googlegroups.com
#36588: Harden `django.utils.archive` against decompression bombs
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Utilities
Version: dev | Severity: Normal
Keywords: archive | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The `django.utils.archive` module is an internal utility used by
`startapp` and `startproject` when the `--template` option is provided.
The current implementation does not impose limits on extracted file size,
file count, or decompression time. This makes it possible for a crafted
archive to consume excessive resources.
''Thanks to "junfuchong (chongfujun)" for the report.''
This is not considered a security issue under Django's policy because:
* The module is undocumented and only used in local development commands.
* Our policy excludes issues that affect only local dev, and these
commands are not intended to run on untrusted archives in production.
Still, adding safeguards (such as maximum size or file count limits) would
make the code more robust and user-friendly. This ticket tracks such
hardening work after a conversation held within the Security Team.
--
Ticket URL: <https://code.djangoproject.com/ticket/36588>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Utilities
Version: dev | Severity: Normal
Keywords: archive | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The `django.utils.archive` module is an internal utility used by
`startapp` and `startproject` when the `--template` option is provided.
The current implementation does not impose limits on extracted file size,
file count, or decompression time. This makes it possible for a crafted
archive to consume excessive resources.
''Thanks to "junfuchong (chongfujun)" for the report.''
This is not considered a security issue under Django's policy because:
* The module is undocumented and only used in local development commands.
* Our policy excludes issues that affect only local dev, and these
commands are not intended to run on untrusted archives in production.
Still, adding safeguards (such as maximum size or file count limits) would
make the code more robust and user-friendly. This ticket tracks such
hardening work after a conversation held within the Security Team.
--
Ticket URL: <https://code.djangoproject.com/ticket/36588>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Sep 2, 2025, 11:22:03 AM (5 days ago) Sep 2
to django-...@googlegroups.com
#36588: Harden `django.utils.archive` against decompression bombs
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
-------------------------------------+-------------------------------------
Type: | Status: new
Cleanup/optimization |
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Jake Howard (added)
Comment:
Jake Howard said:
* This also highlights that we should probably document this explicitly.
If it's come up before, it's going to come up again. Getting some
agreement for how local development only vulnerabilities are classed will
help avoid a lot of future confusion. I'd suggest we put a warning on the
`--template` argument about using untrusted templates, not only for
extraction issues, but also because if they contain bad practices or
backdoors, the new project would contain them too.
* Python's built-ins have come a long way since this module was created,
and we could defer a lot of this work upstream. `zipfile` is probably safe
as-is at least for our use case, and `tarfile` has extraction filters
since 3.12 to mitigate much of the weirdness. We might even be able to use
`shutil.unpack_archive` entirely (more investigation needed).
--
Ticket URL: <https://code.djangoproject.com/ticket/36588#comment:1>
Django
Sep 3, 2025, 8:30:44 PM (3 days ago) Sep 3
to django-...@googlegroups.com
#36588: Harden `django.utils.archive` against decompression bombs
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/36588#comment:2>
Django
Sep 4, 2025, 6:56:27 AM (3 days ago) Sep 4
to django-...@googlegroups.com
#36588: Harden `django.utils.archive` against decompression bombs
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Jake Howard):
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
I've opened a [https://github.com/django/django/pull19814 PR] to add the
security warning to `--template`, which is separate from the hardening.
--
Ticket URL: <https://code.djangoproject.com/ticket/36588#comment:3>
Django
Sep 4, 2025, 12:38:05 PM (3 days ago) Sep 4
to django-...@googlegroups.com
#36588: Harden `django.utils.archive` against decompression bombs
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by nessita <124304+nessita@…>):
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
In [changeset:"4e7a991c12a113229e0927974d3bf94ea04eecf6" 4e7a991c]:
{{{#!CommitTicketReference repository=""
revision="4e7a991c12a113229e0927974d3bf94ea04eecf6"
Refs #36588 -- Warned about using external templates in
startapp/startproject commands.
Clarified that custom templates provided via `--template` for `starapp`
and `startproject` are used as-is, adding a warning that malicious or
poorly constructed templates may introduce security issues.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36588#comment:4>
Django
Sep 4, 2025, 12:38:54 PM (3 days ago) Sep 4
to django-...@googlegroups.com
#36588: Harden `django.utils.archive` against decompression bombs
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Natalia <124304+nessita@…>):
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: archive | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
In [changeset:"fbced43cf84445e3770ce0a3744daca383813ad2" fbced43]:
{{{#!CommitTicketReference repository=""
revision="fbced43cf84445e3770ce0a3744daca383813ad2"
[5.2.x] Refs #36588 -- Warned about using external templates in
startapp/startproject commands.
Clarified that custom templates provided via `--template` for `starapp`
and `startproject` are used as-is, adding a warning that malicious or
poorly constructed templates may introduce security issues.
Backport of 4e7a991c12a113229e0927974d3bf94ea04eecf6 from main.
Clarified that custom templates provided via `--template` for `starapp`
and `startproject` are used as-is, adding a warning that malicious or
poorly constructed templates may introduce security issues.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36588#comment:5>
Reply all
Reply to author
Forward
0 new messages