diff options
| author | Christian Heimes <christian@cheimes.de> | 2008-01-20 09:06:41 (GMT) |
|---|---|---|
| committer | Christian Heimes <christian@cheimes.de> | 2008-01-20 09:06:41 (GMT) |
| commit | fdab48ea2fd2f9e89c56adb4c154beff307d34cb (patch) | |
| tree | 14859e3c0751294adf94d025c19319daa3355b7c /Lib/zipfile.py | |
| parent | 825fc8bedeab69b7cf02291fd844a5faef64f167 (diff) | |
| download | cpython-fdab48ea2fd2f9e89c56adb4c154beff307d34cb.zip cpython-fdab48ea2fd2f9e89c56adb4c154beff307d34cb.tar.gz cpython-fdab48ea2fd2f9e89c56adb4c154beff307d34cb.tar.bz2 | |
Merged revisions 60094-60123 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
*** NOTE ***
I haven't merged the files in Doc/c-api/. I got too many conflicts. Georg,
please split them manually.
........
r60095 | andrew.kuchling | 2008-01-19 21:12:04 +0100 (Sat, 19 Jan 2008) | 2 lines
Bug 1277: make Maildir use the user-provided factory instead of hard-wiring MaildirMessage.
2.5.2 bugfix candidate.
........
r60097 | georg.brandl | 2008-01-19 21:22:13 +0100 (Sat, 19 Jan 2008) | 4 lines
#1663329: add os.closerange() to close a range of fds,
ignoring errors, and use this in subprocess to speed up
subprocess creation in close_fds mode. Patch by Mike Klaas.
........
r60099 | georg.brandl | 2008-01-19 21:40:24 +0100 (Sat, 19 Jan 2008) | 2 lines
#1411695: clarify behavior of xml.sax.utils.[un]escape.
........
r60101 | andrew.kuchling | 2008-01-19 21:47:59 +0100 (Sat, 19 Jan 2008) | 7 lines
Patch #1019808 from Federico Schwindt: Return correct socket error when
a default timeout has been set, by using getsockopt() to get the error
condition (instead of trying another connect() call, which seems to be
a Linuxism).
2.5 bugfix candidate, assuming no one reports any problems with this change.
........
r60102 | gregory.p.smith | 2008-01-19 21:49:02 +0100 (Sat, 19 Jan 2008) | 3 lines
fix comment typos, use not arg instead of arg == "", add test coverage
for inside of the final if needquotes: within subprocess.list2cmdline().
........
r60103 | georg.brandl | 2008-01-19 21:53:07 +0100 (Sat, 19 Jan 2008) | 2 lines
#1509: fix sqlite3 docstrings and docs w.r.t. cursor.fetchXXX methods.
........
r60104 | gregory.p.smith | 2008-01-19 21:57:59 +0100 (Sat, 19 Jan 2008) | 6 lines
Fixes issue1336 - a race condition could occur when forking if the gc
kicked in during the critical section. solution: disable gc during
that section. Patch contributed by jpa and updated by me to cover the
race condition still existing what therve from twistedmatrix pointed
out (already seen and fixed in twisted's own subprocess code).
........
r60105 | gregory.p.smith | 2008-01-19 22:00:37 +0100 (Sat, 19 Jan 2008) | 2 lines
note about r60104
........
r60106 | andrew.kuchling | 2008-01-19 22:00:38 +0100 (Sat, 19 Jan 2008) | 1 line
Bug 1296: restore text describing OptionGroup
........
r60109 | georg.brandl | 2008-01-19 23:08:21 +0100 (Sat, 19 Jan 2008) | 2 lines
Split the monstrous C API manual files in smaller parts.
........
r60110 | georg.brandl | 2008-01-19 23:14:27 +0100 (Sat, 19 Jan 2008) | 2 lines
Missed one big file to split up.
........
r60111 | gregory.p.smith | 2008-01-19 23:23:56 +0100 (Sat, 19 Jan 2008) | 12 lines
Undo an unnecessary else: and indentation that r60104 added.
try:
...
except:
...
raise
else:
...
the else: is unecessary due to the blind except: with a raise.
........
r60115 | gregory.p.smith | 2008-01-19 23:49:37 +0100 (Sat, 19 Jan 2008) | 3 lines
Fix issue 1300: Quote command line arguments that contain a '|' character in
subprocess.list2cmdline (windows).
........
r60116 | gregory.p.smith | 2008-01-20 00:10:52 +0100 (Sun, 20 Jan 2008) | 3 lines
Fixes/Accepts Patch for issue1189216 - Work properly with archives
that have file headers past the 2**31 byte boundary.
........
r60119 | andrew.kuchling | 2008-01-20 01:00:38 +0100 (Sun, 20 Jan 2008) | 3 lines
Patch #1048820 from Stefan Wehr: add insert-mode editing to Textbox.
Fix an off-by-one error I noticed.
........
r60120 | andrew.kuchling | 2008-01-20 01:12:19 +0100 (Sun, 20 Jan 2008) | 1 line
Add an interactive test script for exercising curses
........
r60121 | gregory.p.smith | 2008-01-20 02:21:03 +0100 (Sun, 20 Jan 2008) | 7 lines
Fix zipfile decryption. The check for validity only worked on one
type of encrypted zip files. Files using extended local headers
needed to compare the check byte against different values. (according
to reading the infozip unzip crypt.c source code)
Fixes issue1003.
........
r60122 | gregory.p.smith | 2008-01-20 02:26:04 +0100 (Sun, 20 Jan 2008) | 2 lines
note for r60121
........
r60123 | gregory.p.smith | 2008-01-20 02:32:00 +0100 (Sun, 20 Jan 2008) | 4 lines
Document that zipfile decryption is insanely slow and fix a typo and
blatant lie in a docstring (it is not useful for security regardless of
how you spell it).
........
Diffstat (limited to 'Lib/zipfile.py')
| -rw-r--r-- | Lib/zipfile.py | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/Lib/zipfile.py b/Lib/zipfile.py index 9f98728..2865c0a 100644 --- a/Lib/zipfile.py +++ b/Lib/zipfile.py @@ -34,9 +34,9 @@ ZIP_DEFLATED = 8 # Other ZIP compression methods not supported # Here are some struct module formats for reading headers -structEndArchive = "<4s4H2lH" # 9 items, end of archive, 22 bytes +structEndArchive = "<4s4H2LH" # 9 items, end of archive, 22 bytes stringEndArchive = b"PK\005\006" # magic number for end of archive record -structCentralDir = "<4s4B4HlLL5HLl"# 19 items, central directory, 46 bytes +structCentralDir = "<4s4B4HlLL5HLL"# 19 items, central directory, 46 bytes stringCentralDir = b"PK\001\002" # magic number for central directory structFileHeader = "<4s2B4HlLL2H" # 12 items, file header record, 30 bytes stringFileHeader = b"PK\003\004" # magic number for file header @@ -188,6 +188,7 @@ class ZipInfo (object): 'CRC', 'compress_size', 'file_size', + '_raw_time', ) def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)): @@ -303,7 +304,7 @@ class _ZipDecrypter: ZIP supports a password-based form of encryption. Even though known plaintext attacks have been found against it, it is still useful - for low-level securicy. + to be able to get data out of such a file. Usage: zd = _ZipDecrypter(mypwd) @@ -690,6 +691,7 @@ class ZipFile: x.CRC, x.compress_size, x.file_size) = centdir[1:12] x.volume, x.internal_attr, x.external_attr = centdir[15:18] # Convert date/time code to (year, month, day, hour, min, sec) + x._raw_time = t x.date_time = ( (d>>9)+1980, (d>>5)&0xF, d&0x1F, t>>11, (t>>5)&0x3F, (t&0x1F) * 2 ) @@ -800,11 +802,18 @@ class ZipFile: # The first 12 bytes in the cypher stream is an encryption header # used to strengthen the algorithm. The first 11 bytes are # completely random, while the 12th contains the MSB of the CRC, + # or the MSB of the file time depending on the header type # and is used to check the correctness of the password. bytes = zef_file.read(12) h = list(map(zd, bytes[0:12])) - if h[11] != ((zinfo.CRC>>24) & 255): - raise RuntimeError("Bad password for file %s" % name) + if zinfo.flag_bits & 0x8: + # compare against the file type from extended local headers + check_byte = (zinfo._raw_time >> 8) & 0xff + else: + # compare against the CRC otherwise + check_byte = (zinfo.CRC >> 24) & 0xff + if h[11] != check_byte: + raise RuntimeError("Bad password for file", name) # build and return a ZipExtFile if zd is None: |