-
Notifications
You must be signed in to change notification settings - Fork 741
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zip entry size unset now honors user requested compression level #1598
Zip entry size unset now honors user requested compression level #1598
Conversation
…ompression algorithm
Has anyone checked this commit? I don't understand it, but adding low-level C code seems suspicious, and it was PRed by a bad actor known for hiding malware in tests |
While I don’t know this code base very well, I have some concerns about the changes made to libarchive/archive_write_set_format_zip.c that I at least wanted to share. In context of JiaT75’s other work, I can see those changes introducing the following types of vulnerabilities: Removal of length-at-end Via a user-specified algorithm (3) Weaknesses in other compression algorithms. (4) Data corruption (5) DoS via Zip64 Lastly, thanks for all you’re doing to review JiaT75’s changes and maintain this code base overall. I know you’re doing this voluntarily and really appreciate the great care you have in keeping people safe. |
Thank you, @and-sanford for the moral support! |
I actually do know this area of the code well, since I've been working around here just recently. I'll take a close look at this PR today and let you know what I find. |
@kientzle I saw the parent PR was closed, so it looks like this change was benign. I’m curious what your thoughts were when you reviewed? |
Libarchive's zip writer allows the user to request a specific compression be used. Currently, the two supported options are "deflate" (the compression method invented specifically for the original PK-ZIP implementation) and "store" (uncompressed). This PR fixes a bug where even when the user specifically requested "store" compression, that would be ignored by libarchive in certain cases. Instead, libarchive would force the use of "deflate" compression. I wrote the original logic here with the idea that "store" compression was incompatible with certain uses, but I've since spent a lot more time working with the corresponding Zip reading code in libarchive and agree with the author of this PR that I was being overly conservative and that there's no really strong reason not to use the compression that was specifically requested by the user. |
Fixed an issue where not setting the size of an entry in a zip archive would force the user to use the deflate algorithm even if they specified no compression. I added a test to verify the change correctly addresses this problem.
closes #1547