Zipfile sometimes considers a false password to be correct

[KiraErethon]

BPO	10876
Nosy	@pitrou, @ericvsmith

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2011-01-19.00:17:53.135>
created_at = <Date 2011-01-09.22:17:42.840>
labels = ['invalid', 'type-bug', 'library']
title = 'Zipfile sometimes considers a false password to be correct'
updated_at = <Date 2011-01-19.01:03:24.219>
user = 'https://bugs.python.org/KiraErethon'

bugs.python.org fields:

activity = <Date 2011-01-19.01:03:24.219>
actor = 'Kira.Erethon'
assignee = 'none'
closed = True
closed_date = <Date 2011-01-19.00:17:53.135>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-01-09.22:17:42.840>
creator = 'Kira.Erethon'
dependencies = []
files = []
hgrepos = []
issue_num = 10876
keywords = []
message_count = 10.0
messages = ['125867', '125871', '125872', '125873', '125896', '126505', '126508', '126511', '126512', '126513']
nosy_count = 3.0
nosy_names = ['pitrou', 'eric.smith', 'Kira.Erethon']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue10876'
versions = ['Python 3.1', 'Python 2.7', 'Python 3.2']

[KiraErethon]

Was playing around with Zipfile and passwords in zip files and I noticed that when the password on zipfile.setpassword(pwd) was set 610, the program crashed with the following errors

File "/usr/lib/python2.6/zipfile.py", line 938, in extractall
self.extract(zipinfo, path, pwd)
File "/usr/lib/python2.6/zipfile.py", line 926, in extract
return self._extract_member(member, path, pwd)
File "/usr/lib/python2.6/zipfile.py", line 971, in _extract_member
shutil.copyfileobj(source, target)
File "/usr/lib/python2.6/shutil.py", line 28, in copyfileobj
buf = fsrc.read(length)
File "/usr/lib/python2.6/zipfile.py", line 612, in read
newdata = self.dc.decompress(newdata)
zlib.error: Error -3 while decompressing: invalid distance too far back

[ericvsmith]

What do you mean by "is set to 610"? Can you show us the code that caused this error?

[KiraErethon]

Ok, I tried recreating the bug and found out that I couldn't. Originally this happened when I tried to find the password of a zip file through a dictionary attack. The code I used is this:

import zipfile

zfile=raw_input("Please input zip's file name\n")
diction=raw_input("Please input dictionary\n")
found = False
zipf = zipfile.ZipFile( zfile, 'r' )
f = open(diction, 'r')
for line in f:
    pswd = line
    pswd = pswd[:-1]
    zipf.setpassword(pswd)
    try:
        zipf.extractall()
        found = True
        break
    except RuntimeError:
        continue
zipf.close()  

First time I encountered the bug was when on my dictionary I had all the numbers from 000 to 999 and saw that it crashed at 610. Now it crashes at 844.Even when I do this

import zipfile

zfile=raw_input("Please input zip's file name\n")
zipf = zipfile.ZipFile( zfile, 'r' )
zipf.setpassword('844')
zipf.extractall()
zipf.close()  

it crashes with the error in my first post.
If this is any help, i'm using python 2.6.6 on linux and the number changed from 610 to 844 when I opened a new terminal window.

[KiraErethon]

Update, tried this in another machine of mine, same exact code and this time it crashes at 68

[pitrou]

Well, the password-checking scheme uses a one-byte check against the zip header for consistency.
So there is a (near) 1/256 chance of false positives, that is of bad passwords mistakenly detected as good; then the ZipFile class proceeds with unarchiving and that's where things fail (because the "decrypted" stream is really junk).

Therefore, I'd call it not a bug. If you want to crack a password, you need to trap this exception and interpret it as "bad password".

[KiraErethon]

Sorry to re-open this, but I consider it an important bug. Tried it in 3.1 also and it's still there. To sum up what's happening, zipfile sometimes considers a false password to be correct and proceeds with decrypting the file. Is there a workaround in this? Or even checking if a file has been decrypted correctly?

[pitrou]

As I already explained:

• why it doesn't detect that the password is bad is because the ZIP format is not well-designed enough
• you can catch the zlib error which indicates that decryption returned junk

[KiraErethon]

I'm catching all errors and exceptions and zipfile still decompresses it, that's what I've been trying to tell you. I don't face my original problem anymore, I'm catching that exception, now zipfile considers some passwords to be correct and throw no exception, it just decompresses the file (which contains junk since the password was wrong). That's for the second bullet of your message.

[pitrou]

I'm catching all errors and exceptions and zipfile still decompresses
it, that's what I've been trying to tell you. I don't face my original
problem anymore, I'm catching that exception, now zipfile considers
some passwords to be correct and throw no exception, it just
decompresses the file (which contains junk since the password was
wrong). That's for the second bullet of your message.

Then I suppose the file(s) inside the zip archive are not compressed,
or the compressed contents are miraculously "good" enough for the zlib
not to complain. But, really, unless you have a precise solution to
propose, that's nothing Python can do anything about.

(of course, if you have an idea about the contents of that zip file, you
can devise an application-specific algorithm for validating the
contents)

[KiraErethon]

I'm a newbie in python and tried this in order to learn.I created all the zip files (first created a .txt file and zipped it with a password), so I know the file inside the zip is encrypted ( ofc I know the password too). Tried this with different .txt files and file names just in case there was some problem with the naming (didn't use any unicode file names). I'm not really at a level I can propose a solution, only thing I know is that zipfile can "decompress" the same file with 4 or more passwords without throwing any exception. Of course only one of those passwords is correct.
So, bottom line is it's a problem of the zip format and not Python eh?