From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001 From: nick sung Date: Fri, 17 May 2019 15:45:31 +0800 Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. This gave us the idea of documentation improvement. So, we moved a little bit forward :P And the doc patch can be found (pr). --- Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index 9db9697105d6b5..965369de2a13c3 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -816,5 +816,34 @@ Command-line options Test whether the zipfile is valid or not. +Decompression pitfalls +---------------------- + +The extraction in zipfile module might fail against some pitfalls listed below. + +From file itself + Decompression may fail due to incorrect password / CRC checksum / ZIP format or + unsupported compression method / decryption. + +File System limitations + Exceeding limitations on different file systems can cause decompression failed. + Such as allowable characters in the directory entries, length of the file name, + length of the pathname, size of a single file, and number of files, etc. + +Resources limitations + The lack of memory or disk volume would lead to decompression + failed. For example, decompression bombs (aka `ZIP bomb`_) + apply to zipfile library that can cause disk volume exhaustion. + +Interruption + Interruption during the decompression, such as pressing control-C or killing the + decompression process may result in incomplete decompression of the archive. + +Default behaviors of extraction + Not knowing the default extraction behaviors + can cause unexpected decompression results. + For example, when extracting the same archive twice, + it overwrites files without asking. +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT From e55fada4eed93b1c79d081dd5ae487a5a994c85a Mon Sep 17 00:00:00 2001 From: Nick Sung Date: Sat, 1 Jun 2019 23:15:07 +0800 Subject: [PATCH 2/4] fix trailing whitespace --- Doc/library/zipfile.rst | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index 965369de2a13c3..349ca911e6d4f4 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -822,28 +822,29 @@ Decompression pitfalls The extraction in zipfile module might fail against some pitfalls listed below. From file itself - Decompression may fail due to incorrect password / CRC checksum / ZIP format or + Decompression may fail due to incorrect password / CRC checksum / ZIP format or unsupported compression method / decryption. File System limitations - Exceeding limitations on different file systems can cause decompression failed. - Such as allowable characters in the directory entries, length of the file name, + Exceeding limitations on different file systems can cause decompression failed. + Such as allowable characters in the directory entries, length of the file name, length of the pathname, size of a single file, and number of files, etc. Resources limitations The lack of memory or disk volume would lead to decompression - failed. For example, decompression bombs (aka `ZIP bomb`_) + failed. For example, decompression bombs (aka `ZIP bomb`_) apply to zipfile library that can cause disk volume exhaustion. Interruption - Interruption during the decompression, such as pressing control-C or killing the + Interruption during the decompression, such as pressing control-C or killing the decompression process may result in incomplete decompression of the archive. Default behaviors of extraction - Not knowing the default extraction behaviors - can cause unexpected decompression results. - For example, when extracting the same archive twice, - it overwrites files without asking. + Not knowing the default extraction behaviors + can cause unexpected decompression results. + For example, when extracting the same archive twice, + it overwrites files without asking. + .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT From 2cdc370c611c7af6c05bd6e51bf87b3cbfc0cabe Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" Date: Tue, 4 Jun 2019 09:29:05 +0000 Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst new file mode 100644 index 00000000000000..9276516a882393 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst @@ -0,0 +1 @@ +Add decompression pitfalls to zipfile module documentation. \ No newline at end of file From a28cc2a980ebbf7a7ea1201d2cfabd2f2d17cca3 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Wed, 11 Sep 2019 15:17:59 +0100 Subject: [PATCH 4/4] Reformat text for consistency. --- Doc/library/zipfile.rst | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index 349ca911e6d4f4..18d2e9a60a7ba1 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -819,31 +819,41 @@ Command-line options Decompression pitfalls ---------------------- -The extraction in zipfile module might fail against some pitfalls listed below. +The extraction in zipfile module might fail due to some pitfalls listed below. From file itself - Decompression may fail due to incorrect password / CRC checksum / ZIP format or - unsupported compression method / decryption. +~~~~~~~~~~~~~~~~ + +Decompression may fail due to incorrect password / CRC checksum / ZIP format or +unsupported compression method / decryption. File System limitations - Exceeding limitations on different file systems can cause decompression failed. - Such as allowable characters in the directory entries, length of the file name, - length of the pathname, size of a single file, and number of files, etc. +~~~~~~~~~~~~~~~~~~~~~~~ + +Exceeding limitations on different file systems can cause decompression failed. +Such as allowable characters in the directory entries, length of the file name, +length of the pathname, size of a single file, and number of files, etc. Resources limitations - The lack of memory or disk volume would lead to decompression - failed. For example, decompression bombs (aka `ZIP bomb`_) - apply to zipfile library that can cause disk volume exhaustion. +~~~~~~~~~~~~~~~~~~~~~ + +The lack of memory or disk volume would lead to decompression +failed. For example, decompression bombs (aka `ZIP bomb`_) +apply to zipfile library that can cause disk volume exhaustion. Interruption - Interruption during the decompression, such as pressing control-C or killing the - decompression process may result in incomplete decompression of the archive. +~~~~~~~~~~~~ + +Interruption during the decompression, such as pressing control-C or killing the +decompression process may result in incomplete decompression of the archive. Default behaviors of extraction - Not knowing the default extraction behaviors - can cause unexpected decompression results. - For example, when extracting the same archive twice, - it overwrites files without asking. +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Not knowing the default extraction behaviors +can cause unexpected decompression results. +For example, when extracting the same archive twice, +it overwrites files without asking. .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb