diff options
author | Georg Brandl <georg@python.org> | 2006-02-20 08:40:38 (GMT) |
---|---|---|
committer | Georg Brandl <georg@python.org> | 2006-02-20 08:40:38 (GMT) |
commit | 8f7c54eaa5e363ef02e99518253b3cb17f6602e6 (patch) | |
tree | 80de626902f35cd4d90f271c4641b020b256f4f6 | |
parent | 200a58058a504da4cc2f9145e671b009b0bedd27 (diff) | |
download | cpython-8f7c54eaa5e363ef02e99518253b3cb17f6602e6.zip cpython-8f7c54eaa5e363ef02e99518253b3cb17f6602e6.tar.gz cpython-8f7c54eaa5e363ef02e99518253b3cb17f6602e6.tar.bz2 |
Bug #1413790: zipfile now sanitizes absolute archive names that are
not allowed by the specs.
-rw-r--r-- | Doc/lib/libzipfile.tex | 7 | ||||
-rw-r--r-- | Lib/test/test_zipfile.py | 10 | ||||
-rw-r--r-- | Lib/zipfile.py | 8 | ||||
-rw-r--r-- | Misc/NEWS | 6 |
4 files changed, 26 insertions, 5 deletions
diff --git a/Doc/lib/libzipfile.tex b/Doc/lib/libzipfile.tex index a0b5e63..32ca3e0 100644 --- a/Doc/lib/libzipfile.tex +++ b/Doc/lib/libzipfile.tex @@ -140,10 +140,13 @@ cat myzip.zip >> python.exe compress_type}}} Write the file named \var{filename} to the archive, giving it the archive name \var{arcname} (by default, this will be the same as - \var{filename}). If given, \var{compress_type} overrides the value + \var{filename}, but without a drive letter and with leading path + separators removed). If given, \var{compress_type} overrides the value given for the \var{compression} parameter to the constructor for the new entry. The archive must be open with mode \code{'w'} or - \code{'a'}. + \code{'a'}. + \note{Archive names should be relative to the archive root, that is, + they should not start with a path separator.} \end{methoddesc} \begin{methoddesc}{writestr}{zinfo_or_arcname, bytes} diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py index 57e7423..9fadc30 100644 --- a/Lib/test/test_zipfile.py +++ b/Lib/test/test_zipfile.py @@ -45,6 +45,16 @@ class TestsWithSourceFile(unittest.TestCase): for f in (TESTFN2, TemporaryFile(), StringIO()): self.zipTest(f, zipfile.ZIP_DEFLATED) + def testAbsoluteArcnames(self): + zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED) + zipfp.write(TESTFN, "/absolute") + zipfp.close() + + zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED) + self.assertEqual(zipfp.namelist(), ["absolute"]) + zipfp.close() + + def tearDown(self): os.remove(TESTFN) os.remove(TESTFN2) diff --git a/Lib/zipfile.py b/Lib/zipfile.py index 037843c..168d245 100644 --- a/Lib/zipfile.py +++ b/Lib/zipfile.py @@ -397,9 +397,11 @@ class ZipFile: date_time = mtime[0:6] # Create ZipInfo instance to store file information if arcname is None: - zinfo = ZipInfo(filename, date_time) - else: - zinfo = ZipInfo(arcname, date_time) + arcname = filename + arcname = os.path.normpath(os.path.splitdrive(arcname)[1]) + while arcname[0] in (os.sep, os.altsep): + arcname = arcname[1:] + zinfo = ZipInfo(arcname, date_time) zinfo.external_attr = (st[0] & 0xFFFF) << 16L # Unix attributes if compress_type is None: zinfo.compress_type = self.compression @@ -372,6 +372,12 @@ Extension Modules Library ------- +- Bug #1413790: zipfile now sanitizes absolute archive names that are + not allowed by the specs. + +- Bug #1413790: zipfile now sanitizes absolute archive names that are + not allowed by the specs. + - Patch #1215184: FileInput now can be given an opening hook which can be used to control how files are opened. |