Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZipFile doesn't range check in _EndRecData() #49094

Closed
ymgve mannequin opened this issue Jan 5, 2009 · 11 comments
Closed

ZipFile doesn't range check in _EndRecData() #49094

ymgve mannequin opened this issue Jan 5, 2009 · 11 comments
Assignees
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@ymgve
Copy link
Mannequin

ymgve mannequin commented Jan 5, 2009

BPO 4844
Nosy @pitrou, @serhiy-storchaka
Files
  • 64times01-double.zip
  • issue4844.diff
  • issue4844-with-test.diff: added test to patch
  • zipfile_unpack_check.patch
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/serhiy-storchaka'
    closed_at = <Date 2013-01-31.14:15:48.833>
    created_at = <Date 2009-01-05.15:24:10.693>
    labels = ['type-bug', 'library']
    title = "ZipFile doesn't range check in _EndRecData()"
    updated_at = <Date 2013-01-31.14:15:48.832>
    user = 'https://bugs.python.org/ymgve'

    bugs.python.org fields:

    activity = <Date 2013-01-31.14:15:48.832>
    actor = 'serhiy.storchaka'
    assignee = 'serhiy.storchaka'
    closed = True
    closed_date = <Date 2013-01-31.14:15:48.833>
    closer = 'serhiy.storchaka'
    components = ['Library (Lib)']
    creation = <Date 2009-01-05.15:24:10.693>
    creator = 'ymgve'
    dependencies = []
    files = ['12597', '12603', '18604', '28853']
    hgrepos = []
    issue_num = 4844
    keywords = ['patch']
    message_count = 11.0
    messages = ['79155', '79156', '79158', '114636', '116885', '116889', '176744', '176803', '176809', '180683', '181019']
    nosy_count = 8.0
    nosy_names = ['mcherm', 'alanmcintyre', 'pitrou', 'ebfe', 'ymgve', 'neologix', 'python-dev', 'serhiy.storchaka']
    pr_nums = []
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue4844'
    versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4']

    @ymgve
    Copy link
    Mannequin Author

    ymgve mannequin commented Jan 5, 2009

    If you have a .zip file with an incomplete "End of Central Directory"
    record, _EndRecData() will throw a struct.error:

    D:\c64workdir\Ultimate_Mag_Archive>e:ziptest.py "old - 
    Ultimate_Mag_Archive"
    Handling A-z\0\64times01-double.zip
    Traceback (most recent call last):
      File "E:\wwwroot\c64db\tools\ziptest.py", line 48, in <module>
        ok = handle_file(data, rel_filename)
      File "E:\wwwroot\c64db\tools\ziptest.py", line 19, in handle_file
        z = zipfile.ZipFile(cStringIO.StringIO(data), "r")
      File "C:\Python26\lib\zipfile.py", line 698, in __init__
        self._GetContents()
      File "C:\Python26\lib\zipfile.py", line 718, in _GetContents
        self._RealGetContents()
      File "C:\Python26\lib\zipfile.py", line 728, in _RealGetContents
        endrec = _EndRecData(fp)
      File "C:\Python26\lib\zipfile.py", line 219, in _EndRecData
        endrec = list(struct.unpack(structEndArchive, recData))
    struct.error: unpack requires a string argument of length 22

    The fix is to include a check to see if there is data enough for the
    whole record before attempting to unpack.

    @ymgve ymgve mannequin added the stdlib Python modules in the Lib dir label Jan 5, 2009
    @ebfe
    Copy link
    Mannequin

    ebfe mannequin commented Jan 5, 2009

    please attach 64times01-double.zip if possible

    @ymgve
    Copy link
    Mannequin Author

    ymgve mannequin commented Jan 5, 2009

    Here is the file. Note that this can be reproduced with any zip file if
    you delete the last byte of the file.

    @alanmcintyre
    Copy link
    Mannequin

    alanmcintyre mannequin commented Aug 22, 2010

    I wrote a test for this and tried out the patch on the Python3 trunk, and it seems to work ok. I've attached an updated patch that includes the test.

    It probably wouldn't hurt to go look for other places where a struct is being unpacked without checking lengths first, and see if it makes sense to add a similar check in those places, too. I may do that later if I have some more free time.

    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Sep 19, 2010

    Following EAFP principle, it would be better - cleaner and more efficient - to put the stuct.unpack inside a try/except clause than checking the lengths beforehand.

    @alanmcintyre
    Copy link
    Mannequin

    alanmcintyre mannequin commented Sep 19, 2010

    I had to look up the abbreviation (Easier to Ask Forgiveness than Permission), but that does sound like a good idea. Thanks for mentioning it. :-)

    @serhiy-storchaka
    Copy link
    Member

    serhiy-storchaka commented Dec 1, 2012

    Here is a patch for 3.4, which adds checks for other unpacks (except one, for which bpo-14315 exists). Also BadZipfile replaced by BadZipFile and trailing whitespaces deleted.

    For 2.7 BadZipFile should be replaced by BadZipfile back.

    @serhiy-storchaka serhiy-storchaka added the type-bug An unexpected behavior, bug, or error label Dec 1, 2012
    @pitrou
    Copy link
    Member

    pitrou commented Dec 2, 2012

    In test_damaged_zipfile:

    + for N in range(len(s) - 2):
    + with open(TESTFN, "wb") as f:
    + f.write(s[:N])

    why not range(len(s)) instead?

    @serhiy-storchaka
    Copy link
    Member

    serhiy-storchaka commented Dec 2, 2012

    I just copy it from Alan's test. Actually this is not needed, range(len(s)) can be used.

    @serhiy-storchaka
    Copy link
    Member

    serhiy-storchaka commented Jan 26, 2013

    Patch updated. Now the test use io.BytesIO() for input too. A loop limit changed from len() -2 to len().

    If there are no objections I'll commit this patch next week.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jan 31, 2013

    New changeset 32de35f0f877 by Serhiy Storchaka in branch '2.7':
    Issue bpo-4844: ZipFile now raises BadZipfile when opens a ZIP file with an
    http://hg.python.org/cpython/rev/32de35f0f877

    New changeset 01147e468c8c by Serhiy Storchaka in branch '3.2':
    Issue bpo-4844: ZipFile now raises BadZipFile when opens a ZIP file with an
    http://hg.python.org/cpython/rev/01147e468c8c

    New changeset 46f24a18a4ab by Serhiy Storchaka in branch '3.3':
    Issue bpo-4844: ZipFile now raises BadZipFile when opens a ZIP file with an
    http://hg.python.org/cpython/rev/46f24a18a4ab

    New changeset e406b8bd7b38 by Serhiy Storchaka in branch 'default':
    Issue bpo-4844: ZipFile now raises BadZipFile when opens a ZIP file with an
    http://hg.python.org/cpython/rev/e406b8bd7b38

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants