PyPI: Preventing ZIP parser confusion attacks on Python package installers
17 days ago
- #Python
- #Packaging
- #Security
- PyPI introduces new restrictions to prevent ZIP parser confusion attacks on Python package installers.
- ZIP archives exploiting confusion attacks are now rejected by PyPI.
- No evidence of exploitation via PyPI has been found.
- PyPI is deprecating wheel distributions with incorrect RECORD files.
- Wheels are ZIP archives, and the ZIP standard is complex and ambiguous.
- PyPI will reject ZIPs with invalid records, duplicate filenames, mismatched headers, trailing data, or incorrect End of Central Directory Locator values.
- PyPI will warn and later reject wheels with ZIP contents not matching RECORD metadata.
- Most top Python packages have no ZIP or RECORD issues, ensuring minimal disruption.
- Recommendations include updating installer tools, checking build processes, and ensuring ZIP implementations follow standards.