From 8f7c54eaa5e363ef02e99518253b3cb17f6602e6 Mon Sep 17 00:00:00 2001
From: Georg Brandl <georg@python.org>
Date: Mon, 20 Feb 2006 08:40:38 +0000
Subject: Bug #1413790: zipfile now sanitizes absolute archive names that are
 not allowed by the specs.

---
 Doc/lib/libzipfile.tex   |  7 +++++--
 Lib/test/test_zipfile.py | 10 ++++++++++
 Lib/zipfile.py           |  8 +++++---
 Misc/NEWS                |  6 ++++++
 4 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/Doc/lib/libzipfile.tex b/Doc/lib/libzipfile.tex
index a0b5e63..32ca3e0 100644
--- a/Doc/lib/libzipfile.tex
+++ b/Doc/lib/libzipfile.tex
@@ -140,10 +140,13 @@ cat myzip.zip >> python.exe
                           compress_type}}}
   Write the file named \var{filename} to the archive, giving it the
   archive name \var{arcname} (by default, this will be the same as
-  \var{filename}).  If given, \var{compress_type} overrides the value
+  \var{filename}, but without a drive letter and with leading path
+  separators removed).  If given, \var{compress_type} overrides the value
   given for the \var{compression} parameter to the constructor for
   the new entry.  The archive must be open with mode \code{'w'} or
-  \code{'a'}. 
+  \code{'a'}.
+  \note{Archive names should be relative to the archive root, that is,
+        they should not start with a path separator.}
 \end{methoddesc}
 
 \begin{methoddesc}{writestr}{zinfo_or_arcname, bytes}
diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
index 57e7423..9fadc30 100644
--- a/Lib/test/test_zipfile.py
+++ b/Lib/test/test_zipfile.py
@@ -45,6 +45,16 @@ class TestsWithSourceFile(unittest.TestCase):
             for f in (TESTFN2, TemporaryFile(), StringIO()):
                 self.zipTest(f, zipfile.ZIP_DEFLATED)
 
+    def testAbsoluteArcnames(self):
+        zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED)
+        zipfp.write(TESTFN, "/absolute")
+        zipfp.close()
+
+        zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED)
+        self.assertEqual(zipfp.namelist(), ["absolute"])
+        zipfp.close()
+        
+
     def tearDown(self):
         os.remove(TESTFN)
         os.remove(TESTFN2)
diff --git a/Lib/zipfile.py b/Lib/zipfile.py
index 037843c..168d245 100644
--- a/Lib/zipfile.py
+++ b/Lib/zipfile.py
@@ -397,9 +397,11 @@ class ZipFile:
         date_time = mtime[0:6]
         # Create ZipInfo instance to store file information
         if arcname is None:
-            zinfo = ZipInfo(filename, date_time)
-        else:
-            zinfo = ZipInfo(arcname, date_time)
+            arcname = filename
+        arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
+        while arcname[0] in (os.sep, os.altsep):
+            arcname = arcname[1:]
+        zinfo = ZipInfo(arcname, date_time)
         zinfo.external_attr = (st[0] & 0xFFFF) << 16L      # Unix attributes
         if compress_type is None:
             zinfo.compress_type = self.compression
diff --git a/Misc/NEWS b/Misc/NEWS
index 32f6047..28895c4 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -372,6 +372,12 @@ Extension Modules
 Library
 -------
 
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
 - Patch #1215184: FileInput now can be given an opening hook which can
   be used to control how files are opened.
 
-- 
cgit v0.12