New submission from Cristi Fati <[email protected]>:
PKWARE encryption password pre check algorithm (relying on an 8 bits value to
differentiate passwords) is insanely short.
Most of the wrong passwords are filtered out by the check, but some of them
aren't. For the ones in the latter category, when trying to extract an archive
member, a 0 lengthed file with its name will be created on the FS (overwriting
any previous version).
Usecase:
1. Extract an archive member using the good password. File extracted
2. Extract the same member using a wrong password:
2.1 For most of the passwords, they will be detected and the operation
cancelled
2.2 But some of them, they won't be detected (false positives), but the
decryption itself will fail overwriting the file (from #1.) on FS but leaving
it with 0 bytes content
This is the about #2.2.
More details on [[SO]: zipfile.BadZipFile: Bad CRC-32 when extracting a
password protected .zip & .zip goes corrupt on extract (@CristiFati's
answer)](https://stackoverflow.com/questions/54532010/zipfile-badzipfile-bad-crc-32-when-extracting-a-password-protected-zip-zip/55063500#55063500).
----------
components: Library (Lib)
messages: 337543
nosy: CristiFati
priority: normal
severity: normal
status: open
title: zipfile - extract truncates (existing) file when bad password provided
(zip encryption weakness)
type: behavior
versions: Python 3.6
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue36247>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
