summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2006-02-20 08:40:38 (GMT)
committerGeorg Brandl <georg@python.org>2006-02-20 08:40:38 (GMT)
commit8f7c54eaa5e363ef02e99518253b3cb17f6602e6 (patch)
tree80de626902f35cd4d90f271c4641b020b256f4f6
parent200a58058a504da4cc2f9145e671b009b0bedd27 (diff)
downloadcpython-8f7c54eaa5e363ef02e99518253b3cb17f6602e6.zip
cpython-8f7c54eaa5e363ef02e99518253b3cb17f6602e6.tar.gz
cpython-8f7c54eaa5e363ef02e99518253b3cb17f6602e6.tar.bz2
Bug #1413790: zipfile now sanitizes absolute archive names that are
not allowed by the specs.
-rw-r--r--Doc/lib/libzipfile.tex7
-rw-r--r--Lib/test/test_zipfile.py10
-rw-r--r--Lib/zipfile.py8
-rw-r--r--Misc/NEWS6
4 files changed, 26 insertions, 5 deletions
diff --git a/Doc/lib/libzipfile.tex b/Doc/lib/libzipfile.tex
index a0b5e63..32ca3e0 100644
--- a/Doc/lib/libzipfile.tex
+++ b/Doc/lib/libzipfile.tex
@@ -140,10 +140,13 @@ cat myzip.zip >> python.exe
compress_type}}}
Write the file named \var{filename} to the archive, giving it the
archive name \var{arcname} (by default, this will be the same as
- \var{filename}). If given, \var{compress_type} overrides the value
+ \var{filename}, but without a drive letter and with leading path
+ separators removed). If given, \var{compress_type} overrides the value
given for the \var{compression} parameter to the constructor for
the new entry. The archive must be open with mode \code{'w'} or
- \code{'a'}.
+ \code{'a'}.
+ \note{Archive names should be relative to the archive root, that is,
+ they should not start with a path separator.}
\end{methoddesc}
\begin{methoddesc}{writestr}{zinfo_or_arcname, bytes}
diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
index 57e7423..9fadc30 100644
--- a/Lib/test/test_zipfile.py
+++ b/Lib/test/test_zipfile.py
@@ -45,6 +45,16 @@ class TestsWithSourceFile(unittest.TestCase):
for f in (TESTFN2, TemporaryFile(), StringIO()):
self.zipTest(f, zipfile.ZIP_DEFLATED)
+ def testAbsoluteArcnames(self):
+ zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED)
+ zipfp.write(TESTFN, "/absolute")
+ zipfp.close()
+
+ zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED)
+ self.assertEqual(zipfp.namelist(), ["absolute"])
+ zipfp.close()
+
+
def tearDown(self):
os.remove(TESTFN)
os.remove(TESTFN2)
diff --git a/Lib/zipfile.py b/Lib/zipfile.py
index 037843c..168d245 100644
--- a/Lib/zipfile.py
+++ b/Lib/zipfile.py
@@ -397,9 +397,11 @@ class ZipFile:
date_time = mtime[0:6]
# Create ZipInfo instance to store file information
if arcname is None:
- zinfo = ZipInfo(filename, date_time)
- else:
- zinfo = ZipInfo(arcname, date_time)
+ arcname = filename
+ arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
+ while arcname[0] in (os.sep, os.altsep):
+ arcname = arcname[1:]
+ zinfo = ZipInfo(arcname, date_time)
zinfo.external_attr = (st[0] & 0xFFFF) << 16L # Unix attributes
if compress_type is None:
zinfo.compress_type = self.compression
diff --git a/Misc/NEWS b/Misc/NEWS
index 32f6047..28895c4 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -372,6 +372,12 @@ Extension Modules
Library
-------
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+ not allowed by the specs.
+
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+ not allowed by the specs.
+
- Patch #1215184: FileInput now can be given an opening hook which can
be used to control how files are opened.