New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zipfile sometimes considers a false password to be correct #55085
Comments
Was playing around with Zipfile and passwords in zip files and I noticed that when the password on zipfile.setpassword(pwd) was set 610, the program crashed with the following errors File "/usr/lib/python2.6/zipfile.py", line 938, in extractall |
What do you mean by "is set to 610"? Can you show us the code that caused this error? |
Ok, I tried recreating the bug and found out that I couldn't. Originally this happened when I tried to find the password of a zip file through a dictionary attack. The code I used is this: import zipfile
zfile=raw_input("Please input zip's file name\n")
diction=raw_input("Please input dictionary\n")
found = False
zipf = zipfile.ZipFile( zfile, 'r' )
f = open(diction, 'r')
for line in f:
pswd = line
pswd = pswd[:-1]
zipf.setpassword(pswd)
try:
zipf.extractall()
found = True
break
except RuntimeError:
continue
zipf.close() First time I encountered the bug was when on my dictionary I had all the numbers from 000 to 999 and saw that it crashed at 610. Now it crashes at 844.Even when I do this import zipfile
zfile=raw_input("Please input zip's file name\n")
zipf = zipfile.ZipFile( zfile, 'r' )
zipf.setpassword('844')
zipf.extractall()
zipf.close() it crashes with the error in my first post. |
Update, tried this in another machine of mine, same exact code and this time it crashes at 68 |
Well, the password-checking scheme uses a one-byte check against the zip header for consistency. Therefore, I'd call it not a bug. If you want to crack a password, you need to trap this exception and interpret it as "bad password". |
Sorry to re-open this, but I consider it an important bug. Tried it in 3.1 also and it's still there. To sum up what's happening, zipfile sometimes considers a false password to be correct and proceeds with decrypting the file. Is there a workaround in this? Or even checking if a file has been decrypted correctly? |
As I already explained:
|
I'm catching all errors and exceptions and zipfile still decompresses it, that's what I've been trying to tell you. I don't face my original problem anymore, I'm catching that exception, now zipfile considers some passwords to be correct and throw no exception, it just decompresses the file (which contains junk since the password was wrong). That's for the second bullet of your message. |
Then I suppose the file(s) inside the zip archive are not compressed, (of course, if you have an idea about the contents of that zip file, you |
I'm a newbie in python and tried this in order to learn.I created all the zip files (first created a .txt file and zipped it with a password), so I know the file inside the zip is encrypted ( ofc I know the password too). Tried this with different .txt files and file names just in case there was some problem with the naming (didn't use any unicode file names). I'm not really at a level I can propose a solution, only thing I know is that zipfile can "decompress" the same file with 4 or more passwords without throwing any exception. Of course only one of those passwords is correct. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: