[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Arfrever Frehtes Taifersar Arahesis : -- stage: needs patch -> committed/rejected ___ Python tracker ___ ___ Python-bugs-lis

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Gregory P. Smith : -- resolution: -> fixed status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset d73fb6b06891 by Gregory P. Smith in branch '2.7': Issue #6972: fix the documentation mis applied patch. http://hg.python.org/cpython/rev/d73fb6b06891 New changeset 1c2d41850147 by Gregory P. Smith in branch '3.2': Issue #6972: keep the warning about

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: reopening as documentation mixups remain to be fixed. -- nosy: +benjamin.peterson, larry priority: high -> release blocker resolution: fixed -> stage: patch review -> needs patch ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by R. David Murray : -- status: closed -> open ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://ma

[issue6972] zipfile.ZipFile overwrites files outside destination path

Catalin Iacob added the comment: There are 2 issues with the documentation changes introduced by these patches. 1. for 2.7, the note added by the doc patch is in the wrong place, at the setpassword method instead of the extract or extractall method 2. for 3.x the "Never extract archives from u

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: I believe this is all done after Serhiy's fixes. -- assignee: gregory.p.smith -> serhiy.storchaka status: open -> closed ___ Python tracker ___

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscrib

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset 434b50c7bbed by Serhiy Storchaka in branch '3.2': Fix the test for issue #6972. http://hg.python.org/cpython/rev/434b50c7bbed New changeset 8b33f3a4a200 by Serhiy Storchaka in branch '3.3': Fix the test for issue #6972. http://hg.python.org/cpython/

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset ab4b8da79a5f by Serhiy Storchaka in branch '2.7': Fix test for issue #6972. http://hg.python.org/cpython/rev/ab4b8da79a5f -- ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset 5a68052b52ea by Serhiy Storchaka in branch '2.7': Preserve backslashes in malicious zip files for testing issue #6972. http://hg.python.org/cpython/rev/5a68052b52ea -- ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset ebef003a2acd by Serhiy Storchaka in branch '2.7': Fix the test and remove trailing dots on Windows for issue #6972. http://hg.python.org/cpython/rev/ebef003a2acd -- ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: Here are patches which possible fixes some of this failures. -- Added file: http://bugs.python.org/file28932/zipfile_fix_arcname_4-2.7.patch Added file: http://bugs.python.org/file28933/zipfile_fix_arcname_4-3.x.patch _

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: > The patch introduced a Cyrillic "C" into the docs, see below. Thank you. Fixed. -- ___ Python tracker ___ __

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset b6b707063991 by Serhiy Storchaka in branch '2.7': Fix a Cyrillic "C" inroduced into the docs by patch for issue #6972. http://hg.python.org/cpython/rev/b6b707063991 New changeset ede0f27988f2 by Serhiy Storchaka in branch '3.2': Fix a Cyrillic "C" i

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: There are different test fails on Windows: http://buildbot.python.org/all/builders/x86%20XP-5%203.3/builds/405/steps/test/logs/stdio == ERROR: test_extract_hackers_arcnames (test.test_zipfile.

[issue6972] zipfile.ZipFile overwrites files outside destination path

Georg Brandl added the comment: The patch introduced a Cyrillic "C" into the docs, see below. This makes the LaTeX build fail. + ``foo/bar`` on Unix, and ``С:\foo\bar`` becomes ``foo\bar`` on Windows. ^^ -- nosy: +georg.brandl status: closed ->

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset c3ab8a698d2f by Serhiy Storchaka in branch '2.7': Fix translating of illegal characters on Windows (issue #6972). http://hg.python.org/cpython/rev/c3ab8a698d2f -- ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: yes, tarfile appears to have the same problem. http://bugs.python.org/issue17102 filed. -- ___ Python tracker ___ ___

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ralf Schmitt added the comment: does anyone know if the same issue has been fixed in the tarfile module? -- ___ Python tracker ___ ___

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Gregory P. Smith : -- resolution: -> fixed status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue6972] zipfile.ZipFile overwrites files outside destination path

Roundup Robot added the comment: New changeset 0c5fa35c9f12 by Gregory P. Smith in branch '3.2': Fixes Issue #6972: The zipfile module no longer overwrites files outside of http://hg.python.org/cpython/rev/0c5fa35c9f12 New changeset 483488a1dec5 by Gregory P. Smith in branch '3.3': Fixes Issue #

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: Feel free to change the patch as you see fit. -- ___ Python tracker ___ ___ Python-bugs-list mailin

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: the patch looks good, thanks! one minor comment in a test but i'll take care of that as i submit. -- ___ Python tracker ___ _

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Catalin Iacob : -- nosy: +catalin.iacob ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: Can anyone review the patch? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscrib

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Serhiy Storchaka : -- stage: -> patch review ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: Patch updated. Fixed case '../C:/foo' on Windows. -- Added file: http://bugs.python.org/file27686/zipfile_fix_arcname_3.patch ___ Python tracker __

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Serhiy Storchaka : Removed file: http://bugs.python.org/file27665/zipfile_fix_arcname_2.patch ___ Python tracker ___ ___ Python-bugs

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: Oh, I forgot docs. -- Added file: http://bugs.python.org/file27665/zipfile_fix_arcname_2.patch ___ Python tracker ___ _

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Serhiy Storchaka : Removed file: http://bugs.python.org/file27661/zipfile_fix_arcname_2.patch ___ Python tracker ___ ___ Python-bugs

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: Here is a patch based on patch for issue10905. Test included (I have removed some old tests as new one supersede them). Please test on Windows. ".." components, leading slashes, drive letter, etc are just dropped, as in unzip or 7-Zip. Thanks Zhigang Wang fo

[issue6972] zipfile.ZipFile overwrites files outside destination path

R. David Murray added the comment: To clarify what Serhiy said about the patches, the link to the patch works, but the Reitveld review button isn't working. I get 'No issue exists with that id (6972)'. -- nosy: +loewis ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Serhiy Storchaka added the comment: > +# make sure the zip file isn't traversing out of the path > +if not targetpath.startswith(basepath): Check is insufficient. basepath='/etc/asd', member.filename='../asdfgh'. The issue10905 has relations with this issue. P. S. Viewing patc

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: I'll update my patch to work on the current 3.x head later tonight. -- ___ Python tracker ___ ___ Py

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Antoine Pitrou : -- priority: normal -> high stage: -> needs patch versions: +Python 3.3 -Python 2.6 ___ Python tracker ___ ___

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Serhiy Storchaka : -- nosy: +storchaka ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.py

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Gregory P. Smith : -- versions: +Python 2.7, Python 3.2 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: yes this will be fixed in 2.7/3.2. as for creative uses where someone might want the out of supplied path overwriting behavior? those people are insane and should be made to jump through extra hoops to get it. ;) -- __

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: Even if we can't fix things for this release, presumably it's not too late to fix things for 2.7, right? Yes, there certainly are cases where you might want to have creative usage of symlinks and stored paths to allow overwriting existing files, and placing fil

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ralf Schmitt added the comment: I'd rather have an extractall version which just throws a RuntimeError than one which overwrites any file with any content on my filesystem if I'm trying to unzip a zip file. Then I at least know that I have to write my own version. Adding a warning to the docume

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: Adding a warning to the documentation is not wrong, it is the only thing that is possible for the 2.6.3 release. Its too late in the current release process to change code. -- ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ralf Schmitt added the comment: Adding a warning to the documentation is wrong. The intention of the code clearly is to only create files in the destination directory (or why remove the first slash then?) and that is also the impression I get from reading the documentation. --

[issue6972] zipfile.ZipFile overwrites files outside destination path

Amaury Forgeot d'Arc added the comment: The patch won't work if the target file already exists as a symlink. I think that such a check is not a good idea. Using symlinks to extract files to somewhere else may be a feature, after all. Specially if the symlink already exists before the operati

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: A fair point. I was thinking that we could query the OS about whatever filesystem the path is on, but this wouldn't work for a file that hasn't been created yet. The issue with extractall() isn't just that it can extract over existing files, it's that it can wr

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ned Deily added the comment: Yes, as shipped from the factory, the default "root" file system is still case-insensitive but the user can change that. There there are file systems on attached disk images and NFS-mounted file systems, etc etc. More to the point, it's not a system attribute, r

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: Good point, I'd forgotten that case-sensitive file systems are an option. I do know that it's not the default, though, and that as shipped from Apple, at least the consumer machines are case-insensitive. Things may be different in server-land. For what it's wor

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ned Deily added the comment: "The Mac version of os.path.normpath doesn't change the path, as per the posix version, which isn't correct on HFS+, which is not case sensitive." Not so. Case-sensitive vs case-insensitive behavior is chosen when initializing an HFS+ file system (since OS X 10.3).

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Thomas W. Barr : Removed file: http://bugs.python.org/file15003/zipfile-6972-patch.diff ___ Python tracker ___ ___ Python-bugs-list

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: os.path.realpath() doesn't normalize case, so this could have issues on Windows. The new patch should not. The Mac version of os.path.normpath doesn't change the path, as per the posix version, which isn't correct on HFS+, which is not case sensitive. That's an

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: My apologies, I clicked the wrong button and deleted my test. There is no change in the newly uploaded one. -- Added file: http://bugs.python.org/file15005/zipfile-6972-test.diff ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Thomas W. Barr : Removed file: http://bugs.python.org/file15002/zipfile-6972-test.diff ___ Python tracker ___ ___ Python-bugs-list m

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: zf.extract() is unsafe for the same reason. My patch fixes this issue, but we should mention the possible bug in the documentation there as well. They do this for the similar bug in tarfile. I've copy/pasted the mention in tarfile.extract() to zipfile.extract()

[issue6972] zipfile.ZipFile overwrites files outside destination path

Gregory P. Smith added the comment: Documentation note added (copied from tarfile) in trunk r75149, release26-maint r75150 (hopefully in time for 2.6.3 but thats up to Barry). -- ___ Python tracker __

[issue6972] zipfile.ZipFile overwrites files outside destination path

R. David Murray added the comment: Patches to the docs, just like patches to the code (the docs are in the Doc subdirectory). Once committed, they get auto-generated and uploaded. -- nosy: +r.david.murray ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: As for the documentation, it might be a wise idea to up date the current documentation to mention this issue, until the next release. I'm not really sure what the process is for doing that, though... -- ___ Python tr

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Gregory P. Smith : -- assignee: -> gregory.p.smith nosy: +gregory.p.smith priority: -> normal ___ Python tracker ___ ___ P

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: Uploading patch. This actually should fix my theoretical symlink bug since realpath() properly follows symlinks. The only thing that I haven't been able to test is the behavior of realpath() on case-insensitive operating systems. This should do the right thing,

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: Uploading test. -- keywords: +patch Added file: http://bugs.python.org/file15002/zipfile-6972-test.diff ___ Python tracker ___ _

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: My working solution is to iterate through members, and ensuring that os.path.abspath(os.path.join(path, member)) always .startswith(path). This seems like a better solution than trying to trap on a pattern in the string. Presumably the same fix can be made to ta

[issue6972] zipfile.ZipFile overwrites files outside destination path

Amaury Forgeot d'Arc added the comment: The tarfile module solved this issue with a documentation warning: http://docs.python.org/library/tarfile.html#tarfile.TarFile.extractall -- nosy: +amaury.forgeotdarc ___ Python tracker

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ralf Schmitt added the comment: The documentation should also mention that it's unsafe to use this method in python <= 2.6.2. 2.6.2 is also unsafe. -- ___ Python tracker ___

[issue6972] zipfile.ZipFile overwrites files outside destination path

Ralf Schmitt added the comment: I think this should clearly be fixed in the code. The current code tries to handle absolute paths by removing the first slash (unfortunately not the second), so it looks like it tries to be safe and only write to the destination directory. That should be the defau

[issue6972] zipfile.ZipFile overwrites files outside destination path

Thomas W. Barr added the comment: Do people have an opinion as to whether this should be fixed with a docfix, fixed as default (with option to allow path traversal) or fixed as a non-default option? The same issue exists in ZipFile.extract, but in that case you're presumably passing a path yo

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Thomas W. Barr : -- nosy: +twb ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org

[issue6972] zipfile.ZipFile overwrites files outside destination path

Changes by Ralf Schmitt : -- title: zipfile.ZipFile -> zipfile.ZipFile overwrites files outside destination path ___ Python tracker ___ __

[issue6972] zipfile.ZipFile

New submission from Ralf Schmitt : ZipFile.extractall happily overwrites any file on the filesystem. One can put files with a name like "//etc/password" in a zip file and extractall will overwrite /etc/password (with sufficient rights). The docs say: ZipFile.extractall([path[, members[, pwd]]])