Adam Polkosnik added the comment:
Gentlemen,
Is there's any way this fix can be included in any version?
Currently, the fact that the exception is thrown makes extracting some zip
files impossible with this library, and rolling your own is a bit painful.
(either using a wrapper around 7z
Adam Polkosnik added the comment:
For the version headers, I've added the versions featuring the broken behavior.
That's all.
I'm not saying that this is
I'm extracting malware from the Central Quarantine files, and the vendor's
implementation is broken and is cau
Adam Polkosnik added the comment:
Also, this behavior is present on all platforms and all versions of Python
(zipfile Library), so maybe the headers should be adjusted there too.
I'm not saying that this is necessarily a big freaking hole, but by using this,
one can prevent files from
Adam Polkosnik added the comment:
If I got a file scanner in my mail gateway implemented with this, one can
easily avoid getting the contents of zip-files scanned. Is that enough of a
security impact?
--
___
Python tracker
<http://bugs.python.
Adam Polkosnik added the comment:
I've also tested with WinZip, and Windows Explorer, on windows. Both extract
the contents of test.zip without a warning (just like 7zip on Windows did).
This behavior counts as Denial Of Service if the zipfile Library is used to
extract files, besides lo
Adam Polkosnik added the comment:
Terry, I apologize about the second change of headers, somehow I must have used
the submission form to post the comment from a tab that had the old content,
and the headers didn't refresh there. I assure you that it was not my intention
to change them
Adam Polkosnik added the comment:
In any event, I think that zipfile_stupid3.patch would be the best trivial fix
to this issue.
--
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
Patch against 2.7.6 attached.
--
Added file: http://bugs.python.org/file35101/zipfile_276_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
Patch against zipfile 3.4.0 attached.
--
Added file: http://bugs.python.org/file35102/zipfile_340_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file:
http://bugs.python.org/file35102/zipfile_340_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file:
http://bugs.python.org/file35101/zipfile_276_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
update
--
Added file: http://bugs.python.org/file35103/zipfile_340_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
Once again patch against 2.7.6
--
Added file: http://bugs.python.org/file35104/zipfile_276_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file: http://bugs.python.org/file33666/zipfile_stupid3.patch
___
Python tracker
<http://bugs.python.org/issue6839>
___
___
Python-bug
Changes by Adam Polkosnik :
Removed file:
http://bugs.python.org/file35104/zipfile_276_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file:
http://bugs.python.org/file35103/zipfile_340_filename_mismatch.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
Attached is a patch with warnings against 2.7.6
--
Added file:
http://bugs.python.org/file35113/zipfile_276_filename_mismatch_v2.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
Attached is a patch with warnings against 3.4.0
--
Added file:
http://bugs.python.org/file35114/zipfile_340_filename_mismatch_v2.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file:
http://bugs.python.org/file35113/zipfile_276_filename_mismatch_v2.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
Attached is a patch with warnings against 2.7.6 (this one should be good to go)
--
Added file:
http://bugs.python.org/file35115/zipfile_276_filename_mismatch_v2.patch
___
Python tracker
<http://bugs.python.
Adam Polkosnik added the comment:
3.4.0 pathc with stacklevel=2
--
Added file:
http://bugs.python.org/file35117/zipfile_340_filename_mismatch_v3.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file:
http://bugs.python.org/file35114/zipfile_340_filename_mismatch_v2.patch
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
I just looked through 2.7.6 version of zipfile, and the the error handling
there is either through using raise() or print(). So, inline with the guidance
provided for 2.7.6, perhapswe should stick with print() instead of
warning.warn(). I'll post that
Adam Polkosnik added the comment:
Jim,
I've got some test cases where the zlib_forward_slash.patch doesn't cut it.
That was the reason for trying a broader approach with filename_mismatch
patches.
--
Added file:
http://bugs.python.org/file35120/zipfile_276_filename_m
Adam Polkosnik added the comment:
Is there anything else that you need me to provide?
--
___
Python tracker
<http://bugs.python.org/issue6839>
___
___
Python-bug
Adam Polkosnik added the comment:
Jim,
The problems documented here are related to two cases (both apparently arriving
from world of windows):
1. two relative paths with inverted slash in one of them (test\test2.txt vs
test/test2.txt)
2. relative path vs absolute path (windows\temp\test.txt
Adam Polkosnik added the comment:
Extraction works fine, the issue was that raise() was creating an exception,
and stoping the whole extraction process. When replaced with a warning,
everything works fine.
--
___
Python tracker
<h
Adam Polkosnik added the comment:
Ethan,
I'd refer you to msg92309...
And
When testing with WinZip it looks like this:
No errors detected in compressed data of C:\Downloads\test.zip.
Testing ...
Testing test\OK
Testing test\test2.txt OK
Testing test
Adam Polkosnik added the comment:
Both. Other programs, and in python scripts when raise() is removed in
zipfile.py. Unless your results are different.
--
___
Python tracker
<http://bugs.python.org/issue6
Adam Polkosnik added the comment:
I've got bitten by a different variation of this bug.
In my case the issue can be summarized by:
zipfile.BadZipfile: File name in directory "Windows\TEMP\test.tmp" and header
"C:\Windows\TEMP\test.tmp" differ.
Attached is a patch fo
Adam Polkosnik added the comment:
Just tested my patch on mac, and it appears that it didn't work on OSX (and
likely on other unix platforms too).
Conclusion... os.path.basename() will not do anything to windows paths when
running on unix.
I'm thinking that instead of bailing at
Changes by Adam Polkosnik :
Removed file: http://bugs.python.org/file32160/zipfile.py.patch
___
Python tracker
<http://bugs.python.org/issue6839>
___
___
Python-bug
Adam Polkosnik added the comment:
I'm in a similar situation, my test file raises this:
File name in directory "windows\TEMP\\test123.txt" and header
"C:\windows\TEMP\\test123.txt" differ.
It turns out that I can't find any cross platform procedures for pro
Adam Polkosnik added the comment:
This one has the parentheses for print, so that it works in python 3.x. Also,
the default fallback behavior in this case is to use the filename from the
zips' directory (the first path in the warning).
--
Added file: http://bugs.python.org/file
Adam Polkosnik added the comment:
Can we get this simple "fix" implemented in time for the next 2.7.x release?!
Thank you!
--
___
Python tracker
<http://bugs.python.
Adam Polkosnik added the comment:
Excellent, please see my third attempt.
--
Added file: http://bugs.python.org/file33666/zipfile_stupid3.patch
___
Python tracker
<http://bugs.python.org/issue6
Changes by Adam Polkosnik :
Removed file: http://bugs.python.org/file33662/zipfile_stupid.patch
___
Python tracker
<http://bugs.python.org/issue6839>
___
___
Python-bug
Changes by Adam Polkosnik :
Removed file: http://bugs.python.org/file33663/zipfile_stupid2.patch
___
Python tracker
<http://bugs.python.org/issue6839>
___
___
Python-bug
Adam Polkosnik added the comment:
It might not be a regular "security" issue, but it is not extracting some files
that it should. There's a possible scenario, where it can be a security issue.
--
___
Python tracker
<http://bugs.py
39 matches
Mail list logo
