Use ZipFile.open instead of ZipFile.read

[waveform80]

To avoid huge memory usage in unusual situations (e.g. the TensorFlow wheel on a Raspberry Pi), use ZipFile.open and shutil.copyfileobj instead of ZipFile.read, which loads all the decompressed data of the file (an arbitrarily large amount) into a byte-string. On the Pi, this can lead to out-of-memory situations when there's no swap (the default configuration of Raspbian), and the wheel contains huge files.

[waveform80]

I'm assuming for now that this would be marked trivial - do let me know if you want me to add a news file.

[cjerdonek]

Thanks! I think it would be worth a news file IMO as some users will see a concrete benefit.

[waveform80]

Thanks! I think it would be worth a news file IMO as some users will see a concrete benefit.

Okay, will do.

[cjerdonek]

This PR looks okay to me now. Thanks, @waveform80!

However, in the course of reviewing the PR, I noticed that if you comment out the lines changed by this PR, the unzip_file() file test still passes. Thus, I made a separate PR to test the file contents: #5891 (I would feel bad about asking you, @waveform80, to make yet another change since you've been so patient!) So for completeness, I'd like to merge that PR before merging this one.

A couple other random things I noticed (but not for this PR as it's out of scope):

1. The Python docs say it might be better to pass the ZipInfo object to open() rather than the name.
2. Maybe it would be cleaner to use extract() at a future date rather than shutil.copyfileobj() (which extract() does under the hood anyways).

[waveform80]

The Python docs say it might be better to pass the ZipInfo object to open() rather than the name.

Yup - I considered adding that change to this PR too, but I'm always wary of unintended consequences, so I wound up keeping things as straight-forward as I could.

As I understand it, such a change should only affect pathological zip-files containing multiple members with the same path and name, which I think one could reasonably assume would never happen with a normally constructed wheel (I hope?).

The question then becomes what happens in each case and which behaviour is desirable; my assumption (unconfirmed) is that when using ZipInfo objects (and assuming the code iterates over the members in order), the last member with the duplicate name winds up being the file on disk (assuming it's opened with mode "w" which'd truncate any pre-existing file(s); if one used "w+" a mish-mash of content could result). Whereas, I'd assume when using filenames (as in the current code), the first member with the duplicate name winds up being the file on disk (because the other duplicate(s) are never reached). Given we'd presumably be talking about a maliciously constructed wheel anyway, I'm not sure there's a qualitative difference between the two options: pip has no way of knowing which member is "right" (if there's even such a thing).

Still, it might be worth considering the change anyway as it's probably a little more efficient (fewer filename lookups) and cleaner code.

Maybe it would be cleaner to use extract() at a future date rather than shutil.copyfileobj() (which extract() does under the hood anyways).

That was another change I considered but decided was probably out of scope for this PR. It's definitely worth thinking about though, given pip is sometimes run as root and I don't currently see much defence against a maliciously constructed wheel that could be used to overwrite stuff in, say, /bin. However, I'm also not sure if any of the filename manipulation that extract does (excising parent .. components, and substituting illegal characters in Windows) break existing assumptions in pip (I'd hope not :).

Anyway, there's some random thoughts on future changes for this; I'm happy to bash together a separate PR for them if you'd like.

[cjerdonek]

I'm happy to bash together a separate PR for them if you'd like.

Certainly. You could create one or more PR's for each of those things if you'd like. We'll have to decide whether the risk outweighs the "reward" though.

A few other things that come to mind:

1. Would you be able to review my PR Improve TestUnpackArchives to also test the contents of the extracted files #5891 and let me know if it looks okay to you? That will assist in landing this.

2. Something else I could use help with (assuming you can reproduce the issue) is tracking down why checking the contents of "symlink.txt" didn't work in PR Improve TestUnpackArchives to also test the contents of the extracted files #5891 when I ran the tests locally on Mac OS X. The results were different for test_unpack_tgz() and test_unpack_zip(). Supplementing the test with that check is something else that could be done in a later PR.

3. Given that you put some thought into duplicate names, you might be interested in taking a look at PR utils: fix has_leading_dir corner case #5794. That PR adds test cases for has_leading_dir(), but it's not clear to me if the test expectations are what we want for the edge case of duplicate names..

[cjerdonek]

Closing / reopening to trigger a new test run against latest master.

[pradyunsg]

@cjerdonek The test run on Travis does not check against the merged branch IIRC. AppVeyor does.

[cjerdonek]

@pradyunsg I checked Travis beforehand, and it appears to do so. Like in this case, it's testing:
ecc070a

[benoit-pierre]

They both do:

• AppVeyor: https://ci.appveyor.com/project/pypa/pip/builds/19644612/job/x8dwhfg878fqbqui#L3
• Travis: https://travis-ci.org/pypa/pip/jobs/443781772#L428

[cjerdonek]

Thanks for your work on this, @waveform80!

[waveform80]

1. Would you be able to review my PR Improve TestUnpackArchives to also test the contents of the extracted files #5891 and let me know if it looks okay to you? That will assist in landing this.

Ah, beat me to it!

2. Something else I could use help with (assuming you can reproduce the issue) is tracking down why checking the contents of "symlink.txt" didn't work in PR Improve TestUnpackArchives to also test the contents of the extracted files #5891 when I ran the tests locally on Mac OS X. The results were different for test_unpack_tgz() and test_unpack_zip(). Supplementing the test with that check is something else that could be done in a later PR.

Just had a look at this; I don't have a Mac but I can take a fair guess what's going on here: someone's expected symlinks in zips to "just work".

The zip spec itself has no clue about symlinks (unsurprising given its DOS origins). There's an "external attributes" field in the archive member meta-data in zips which several tools (infozip, and Python's ZipFile class) use to store the file mode (and thus the fact that a member might actually be a symlink). However, in order to re-create a symlink an extractor would still need to check the external attributes represent a symlink and call symlink() instead of open(). Neither pip's unzip_file nor Python's ZipFile.extractall do this, so they'll just extract symlinks as regular files containing the target (the infozip tools on Linux do, though).

If pip's expecting symlinks in a zip to work (which seems to be the case, given that test case, and the contents of test_zip.zip) then unzip_file definitely needs some work. Rather than clutter this ticket any further I'll throw another PR together and we can continue discussion there.

3. Given that you put some thought into duplicate names, you might be interested in taking a look at PR utils: fix has_leading_dir corner case #5794. That PR adds test cases for has_leading_dir(), but it's not clear to me if the test expectations are what we want for the edge case of duplicate names..

I'll take a look

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.