From 241a0c7192b6c99b6665c8126e66b2d6d2b7de8d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 20 Jan 2008 09:06:41 +0000 Subject: Merged revisions 60094-60123 via svnmerge from svn+ssh://pythondev@svn.python.org/python/trunk *** NOTE *** I haven't merged the files in Doc/c-api/. I got too many conflicts. Georg, please split them manually. ........ r60095 | andrew.kuchling | 2008-01-19 21:12:04 +0100 (Sat, 19 Jan 2008) | 2 lines Bug 1277: make Maildir use the user-provided factory instead of hard-wiring MaildirMessage. 2.5.2 bugfix candidate. ........ r60097 | georg.brandl | 2008-01-19 21:22:13 +0100 (Sat, 19 Jan 2008) | 4 lines #1663329: add os.closerange() to close a range of fds, ignoring errors, and use this in subprocess to speed up subprocess creation in close_fds mode. Patch by Mike Klaas. ........ r60099 | georg.brandl | 2008-01-19 21:40:24 +0100 (Sat, 19 Jan 2008) | 2 lines #1411695: clarify behavior of xml.sax.utils.[un]escape. ........ r60101 | andrew.kuchling | 2008-01-19 21:47:59 +0100 (Sat, 19 Jan 2008) | 7 lines Patch #1019808 from Federico Schwindt: Return correct socket error when a default timeout has been set, by using getsockopt() to get the error condition (instead of trying another connect() call, which seems to be a Linuxism). 2.5 bugfix candidate, assuming no one reports any problems with this change. ........ r60102 | gregory.p.smith | 2008-01-19 21:49:02 +0100 (Sat, 19 Jan 2008) | 3 lines fix comment typos, use not arg instead of arg == "", add test coverage for inside of the final if needquotes: within subprocess.list2cmdline(). ........ r60103 | georg.brandl | 2008-01-19 21:53:07 +0100 (Sat, 19 Jan 2008) | 2 lines #1509: fix sqlite3 docstrings and docs w.r.t. cursor.fetchXXX methods. ........ r60104 | gregory.p.smith | 2008-01-19 21:57:59 +0100 (Sat, 19 Jan 2008) | 6 lines Fixes issue1336 - a race condition could occur when forking if the gc kicked in during the critical section. solution: disable gc during that section. Patch contributed by jpa and updated by me to cover the race condition still existing what therve from twistedmatrix pointed out (already seen and fixed in twisted's own subprocess code). ........ r60105 | gregory.p.smith | 2008-01-19 22:00:37 +0100 (Sat, 19 Jan 2008) | 2 lines note about r60104 ........ r60106 | andrew.kuchling | 2008-01-19 22:00:38 +0100 (Sat, 19 Jan 2008) | 1 line Bug 1296: restore text describing OptionGroup ........ r60109 | georg.brandl | 2008-01-19 23:08:21 +0100 (Sat, 19 Jan 2008) | 2 lines Split the monstrous C API manual files in smaller parts. ........ r60110 | georg.brandl | 2008-01-19 23:14:27 +0100 (Sat, 19 Jan 2008) | 2 lines Missed one big file to split up. ........ r60111 | gregory.p.smith | 2008-01-19 23:23:56 +0100 (Sat, 19 Jan 2008) | 12 lines Undo an unnecessary else: and indentation that r60104 added. try: ... except: ... raise else: ... the else: is unecessary due to the blind except: with a raise. ........ r60115 | gregory.p.smith | 2008-01-19 23:49:37 +0100 (Sat, 19 Jan 2008) | 3 lines Fix issue 1300: Quote command line arguments that contain a '|' character in subprocess.list2cmdline (windows). ........ r60116 | gregory.p.smith | 2008-01-20 00:10:52 +0100 (Sun, 20 Jan 2008) | 3 lines Fixes/Accepts Patch for issue1189216 - Work properly with archives that have file headers past the 2**31 byte boundary. ........ r60119 | andrew.kuchling | 2008-01-20 01:00:38 +0100 (Sun, 20 Jan 2008) | 3 lines Patch #1048820 from Stefan Wehr: add insert-mode editing to Textbox. Fix an off-by-one error I noticed. ........ r60120 | andrew.kuchling | 2008-01-20 01:12:19 +0100 (Sun, 20 Jan 2008) | 1 line Add an interactive test script for exercising curses ........ r60121 | gregory.p.smith | 2008-01-20 02:21:03 +0100 (Sun, 20 Jan 2008) | 7 lines Fix zipfile decryption. The check for validity only worked on one type of encrypted zip files. Files using extended local headers needed to compare the check byte against different values. (according to reading the infozip unzip crypt.c source code) Fixes issue1003. ........ r60122 | gregory.p.smith | 2008-01-20 02:26:04 +0100 (Sun, 20 Jan 2008) | 2 lines note for r60121 ........ r60123 | gregory.p.smith | 2008-01-20 02:32:00 +0100 (Sun, 20 Jan 2008) | 4 lines Document that zipfile decryption is insanely slow and fix a typo and blatant lie in a docstring (it is not useful for security regardless of how you spell it). ........ --- Lib/zipfile.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'Lib/zipfile.py') diff --git a/Lib/zipfile.py b/Lib/zipfile.py index 9f98728496..2865c0a2c1 100644 --- a/Lib/zipfile.py +++ b/Lib/zipfile.py @@ -34,9 +34,9 @@ ZIP_DEFLATED = 8 # Other ZIP compression methods not supported # Here are some struct module formats for reading headers -structEndArchive = "<4s4H2lH" # 9 items, end of archive, 22 bytes +structEndArchive = "<4s4H2LH" # 9 items, end of archive, 22 bytes stringEndArchive = b"PK\005\006" # magic number for end of archive record -structCentralDir = "<4s4B4HlLL5HLl"# 19 items, central directory, 46 bytes +structCentralDir = "<4s4B4HlLL5HLL"# 19 items, central directory, 46 bytes stringCentralDir = b"PK\001\002" # magic number for central directory structFileHeader = "<4s2B4HlLL2H" # 12 items, file header record, 30 bytes stringFileHeader = b"PK\003\004" # magic number for file header @@ -188,6 +188,7 @@ class ZipInfo (object): 'CRC', 'compress_size', 'file_size', + '_raw_time', ) def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)): @@ -303,7 +304,7 @@ class _ZipDecrypter: ZIP supports a password-based form of encryption. Even though known plaintext attacks have been found against it, it is still useful - for low-level securicy. + to be able to get data out of such a file. Usage: zd = _ZipDecrypter(mypwd) @@ -690,6 +691,7 @@ class ZipFile: x.CRC, x.compress_size, x.file_size) = centdir[1:12] x.volume, x.internal_attr, x.external_attr = centdir[15:18] # Convert date/time code to (year, month, day, hour, min, sec) + x._raw_time = t x.date_time = ( (d>>9)+1980, (d>>5)&0xF, d&0x1F, t>>11, (t>>5)&0x3F, (t&0x1F) * 2 ) @@ -800,11 +802,18 @@ class ZipFile: # The first 12 bytes in the cypher stream is an encryption header # used to strengthen the algorithm. The first 11 bytes are # completely random, while the 12th contains the MSB of the CRC, + # or the MSB of the file time depending on the header type # and is used to check the correctness of the password. bytes = zef_file.read(12) h = list(map(zd, bytes[0:12])) - if h[11] != ((zinfo.CRC>>24) & 255): - raise RuntimeError("Bad password for file %s" % name) + if zinfo.flag_bits & 0x8: + # compare against the file type from extended local headers + check_byte = (zinfo._raw_time >> 8) & 0xff + else: + # compare against the CRC otherwise + check_byte = (zinfo.CRC >> 24) & 0xff + if h[11] != check_byte: + raise RuntimeError("Bad password for file", name) # build and return a ZipExtFile if zd is None: -- cgit v1.2.1