[ python-Bugs-1413790 ] zipfile: inserting some filenames produces corrupt .zips

SourceForge.net noreply at sourceforge.net
Mon Feb 20 10:13:15 CET 2006 

Bugs item #1413790, was opened at 2006-01-24 16:57
Message generated for change (Settings changed) made by birkenfeld
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1413790&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Grant Olson (logistix)
Assigned to: Nobody/Anonymous (nobody)
Summary: zipfile: inserting some filenames produces corrupt .zips

Initial Comment:
Running something like the following produces a corrupt
.zip file.  The builtin XP zip folder view won't show
any documents and attempting to extract via "right
click -> Extract files..." will set off an untrusted
file alert:

import zipfile
z = zipfile.ZipFile("c:\\foo.zip","w")
z.write("c:\\autoexec.bat", "\\autoexec.bat")
z.close()

zipfile should either throw an error when adding these
files or attempt to normalize the path.  I would prefer
that zipfile make the assumption that any files
starting with absolute or relative pathnames
("\\foo\\bar.txt" or ".\\foo\\bar.txt") should join in
at the root of the zipfile ("foo\\bar.txt" in this case).

Patch to accomplish the latter is attached.

----------------------------------------------------------------------

>Comment By: Georg Brandl (birkenfeld)
Date: 2006-02-20 10:13

Message:
Logged In: YES 
user_id=1188172

Thanks for the bug report, fixed in rev. 42508.

----------------------------------------------------------------------

Comment By: Grant Olson (logistix)
Date: 2006-01-25 21:52

Message:
Logged In: YES 
user_id=699438

Just wanted to note that the documentation of the .zip
format from pkzip explicitly states that a drive letter or
leading slash is not allowed.  The pertinent text:

file name: (Variable)

          The name of the file, with optional relative path.
          The path stored should not contain a drive or
          device letter, or a leading slash.  All slashes
          should be forward slashes '/' as opposed to
          backwards slashes '\' for compatibility with Amiga
          and UNIX file systems etc.  If input came from
standard
          input, there is no file name field.  If encrypting
          the central directory and general purpose bit flag
13 is set 
          indicating masking, the file name stored in the
Local Header 
          will not be the actual file name.  A masking value
consisting 
          of a unique hexadecimal value will be stored. 
This value will 
          be sequentially incremented for each file in the
archive. See
          the section on the Strong Encryption Specification
for details 
          on retrieving the encrypted file name. 


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1413790&group_id=5470

More information about the Python-bugs-list mailing list