Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cpython
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
cpython
Commits
addebca7
Commit
addebca7
authored
Feb 01, 2013
by
Brett Cannon
Browse files
Options
Browse Files
Download
Plain Diff
merge
parents
da9cf0ee
ee9b1722
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
123 additions
and
28 deletions
+123
-28
Doc/library/zipfile.rst
Doc/library/zipfile.rst
+12
-5
Lib/test/test_zipfile.py
Lib/test/test_zipfile.py
+77
-9
Lib/zipfile.py
Lib/zipfile.py
+16
-11
Misc/NEWS
Misc/NEWS
+9
-0
Modules/_io/iobase.c
Modules/_io/iobase.c
+4
-1
Modules/_io/textio.c
Modules/_io/textio.c
+5
-2
No files found.
Doc/library/zipfile.rst
View file @
addebca7
...
@@ -242,6 +242,16 @@ ZipFile Objects
...
@@ -242,6 +242,16 @@ ZipFile Objects
to
extract
to
.
*
member
*
can
be
a
filename
or
a
:
class
:`
ZipInfo
`
object
.
to
extract
to
.
*
member
*
can
be
a
filename
or
a
:
class
:`
ZipInfo
`
object
.
*
pwd
*
is
the
password
used
for
encrypted
files
.
*
pwd
*
is
the
password
used
for
encrypted
files
.
..
note
::
If
a
member
filename
is
an
absolute
path
,
a
drive
/
UNC
sharepoint
and
leading
(
back
)
slashes
will
be
stripped
,
e
.
g
.:
``///
foo
/
bar
``
becomes
``
foo
/
bar
``
on
Unix
,
and
``
С
:\
foo
\
bar
``
becomes
``
foo
\
bar
``
on
Windows
.
And
all
``
".."
``
components
in
a
member
filename
will
be
removed
,
e
.
g
.:
``../../
foo
../../
ba
..
r
``
becomes
``
foo
../
ba
..
r
``.
On
Windows
illegal
characters
(``:``,
``<``,
``>``,
``|``,
``
"``, ``?``, and ``*``)
replaced by underscore (``_``).
.. method:: ZipFile.extractall(path=None, members=None, pwd=None)
.. method:: ZipFile.extractall(path=None, members=None, pwd=None)
...
@@ -250,12 +260,9 @@ ZipFile Objects
...
@@ -250,12 +260,9 @@ ZipFile Objects
be a subset of the list returned by :meth:`namelist`. *pwd* is the password
be a subset of the list returned by :meth:`namelist`. *pwd* is the password
used for encrypted files.
used for encrypted files.
..
warning
::
..
note
::
Never
extract
archives
from
untrusted
sources
without
prior
inspection
.
See :meth:`extract` note.
It
is
possible
that
files
are
created
outside
of
*
path
*,
e
.
g
.
members
that
have
absolute
filenames
starting
with
``
"/"
``
or
filenames
with
two
dots
``
".."
``.
.. method:: ZipFile.printdir()
.. method:: ZipFile.printdir()
...
...
Lib/test/test_zipfile.py
View file @
addebca7
...
@@ -24,7 +24,7 @@ DATAFILES_DIR = 'zipfile_datafiles'
...
@@ -24,7 +24,7 @@ DATAFILES_DIR = 'zipfile_datafiles'
SMALL_TEST_DATA
=
[(
'_ziptest1'
,
'1q2w3e4r5t'
),
SMALL_TEST_DATA
=
[(
'_ziptest1'
,
'1q2w3e4r5t'
),
(
'ziptest2dir/_ziptest2'
,
'qawsedrftg'
),
(
'ziptest2dir/_ziptest2'
,
'qawsedrftg'
),
(
'
/
ziptest2dir/ziptest3dir/_ziptest3'
,
'azsxdcfvgb'
),
(
'ziptest2dir/ziptest3dir/_ziptest3'
,
'azsxdcfvgb'
),
(
'ziptest2dir/ziptest3dir/ziptest4dir/_ziptest3'
,
'6y7u8i9o0p'
)]
(
'ziptest2dir/ziptest3dir/ziptest4dir/_ziptest3'
,
'6y7u8i9o0p'
)]
...
@@ -501,9 +501,6 @@ class TestsWithSourceFile(unittest.TestCase):
...
@@ -501,9 +501,6 @@ class TestsWithSourceFile(unittest.TestCase):
writtenfile
=
zipfp
.
extract
(
fpath
)
writtenfile
=
zipfp
.
extract
(
fpath
)
# make sure it was written to the right place
# make sure it was written to the right place
if
os
.
path
.
isabs
(
fpath
):
correctfile
=
os
.
path
.
join
(
os
.
getcwd
(),
fpath
[
1
:])
else
:
correctfile
=
os
.
path
.
join
(
os
.
getcwd
(),
fpath
)
correctfile
=
os
.
path
.
join
(
os
.
getcwd
(),
fpath
)
correctfile
=
os
.
path
.
normpath
(
correctfile
)
correctfile
=
os
.
path
.
normpath
(
correctfile
)
...
@@ -526,9 +523,6 @@ class TestsWithSourceFile(unittest.TestCase):
...
@@ -526,9 +523,6 @@ class TestsWithSourceFile(unittest.TestCase):
with
zipfile
.
ZipFile
(
TESTFN2
,
"r"
)
as
zipfp
:
with
zipfile
.
ZipFile
(
TESTFN2
,
"r"
)
as
zipfp
:
zipfp
.
extractall
()
zipfp
.
extractall
()
for
fpath
,
fdata
in
SMALL_TEST_DATA
:
for
fpath
,
fdata
in
SMALL_TEST_DATA
:
if
os
.
path
.
isabs
(
fpath
):
outfile
=
os
.
path
.
join
(
os
.
getcwd
(),
fpath
[
1
:])
else
:
outfile
=
os
.
path
.
join
(
os
.
getcwd
(),
fpath
)
outfile
=
os
.
path
.
join
(
os
.
getcwd
(),
fpath
)
with
open
(
outfile
,
"rb"
)
as
f
:
with
open
(
outfile
,
"rb"
)
as
f
:
...
@@ -539,6 +533,80 @@ class TestsWithSourceFile(unittest.TestCase):
...
@@ -539,6 +533,80 @@ class TestsWithSourceFile(unittest.TestCase):
# remove the test file subdirectories
# remove the test file subdirectories
shutil
.
rmtree
(
os
.
path
.
join
(
os
.
getcwd
(),
'ziptest2dir'
))
shutil
.
rmtree
(
os
.
path
.
join
(
os
.
getcwd
(),
'ziptest2dir'
))
def
check_file
(
self
,
filename
,
content
):
self
.
assertTrue
(
os
.
path
.
isfile
(
filename
))
with
open
(
filename
,
'rb'
)
as
f
:
self
.
assertEqual
(
f
.
read
(),
content
)
def
test_extract_hackers_arcnames
(
self
):
hacknames
=
[
(
'../foo/bar'
,
'foo/bar'
),
(
'foo/../bar'
,
'foo/bar'
),
(
'foo/../../bar'
,
'foo/bar'
),
(
'foo/bar/..'
,
'foo/bar'
),
(
'./../foo/bar'
,
'foo/bar'
),
(
'/foo/bar'
,
'foo/bar'
),
(
'/foo/../bar'
,
'foo/bar'
),
(
'/foo/../../bar'
,
'foo/bar'
),
(
'//foo/bar'
,
'foo/bar'
),
(
'../../foo../../ba..r'
,
'foo../ba..r'
),
]
if
os
.
path
.
sep
==
'
\
\
'
:
# Windows.
hacknames
.
extend
([
(
r'..\foo\bar'
,
'foo/bar'
),
(
r'..\
/
foo\
/
bar'
,
'foo/bar'
),
(
r'foo/\
..
\/bar'
,
'foo/bar'
),
(
r'foo\
/../
\bar'
,
'foo/bar'
),
(
r'C:foo/bar'
,
'foo/bar'
),
(
r'C:/foo/bar'
,
'foo/bar'
),
(
r'C://foo/bar'
,
'foo/bar'
),
(
r'C:\foo\bar'
,
'foo/bar'
),
(
r'//conky/mountpoint/foo/bar'
,
'foo/bar'
),
(
r'\\conky\
mou
ntpoint\foo\bar'
,
'foo/bar'
),
(
r'///conky/mountpoint/foo/bar'
,
'conky/mountpoint/foo/bar'
),
(
r'\\\
co
nky\
mou
ntpoint\foo\bar'
,
'conky/mountpoint/foo/bar'
),
(
r'//conky//mountpoint/foo/bar'
,
'conky/mountpoint/foo/bar'
),
(
r'\\conky\\mountpoint\foo\bar'
,
'conky/mountpoint/foo/bar'
),
(
r'//?/C:/foo/bar'
,
'foo/bar'
),
(
r'\\?\
C:
\foo\bar'
,
'foo/bar'
),
(
r'C:/../C:/foo/bar'
,
'C_/foo/bar'
),
(
r'a:b\
c<d>e|
f"g?h*i'
,
'b/c_d_e_f_g_h_i'
),
])
for
arcname
,
fixedname
in
hacknames
:
content
=
b'foobar'
+
arcname
.
encode
()
with
zipfile
.
ZipFile
(
TESTFN2
,
'w'
,
zipfile
.
ZIP_STORED
)
as
zipfp
:
zipfp
.
writestr
(
arcname
,
content
)
targetpath
=
os
.
path
.
join
(
'target'
,
'subdir'
,
'subsub'
)
correctfile
=
os
.
path
.
join
(
targetpath
,
*
fixedname
.
split
(
'/'
))
with
zipfile
.
ZipFile
(
TESTFN2
,
'r'
)
as
zipfp
:
writtenfile
=
zipfp
.
extract
(
arcname
,
targetpath
)
self
.
assertEqual
(
writtenfile
,
correctfile
)
self
.
check_file
(
correctfile
,
content
)
shutil
.
rmtree
(
'target'
)
with
zipfile
.
ZipFile
(
TESTFN2
,
'r'
)
as
zipfp
:
zipfp
.
extractall
(
targetpath
)
self
.
check_file
(
correctfile
,
content
)
shutil
.
rmtree
(
'target'
)
correctfile
=
os
.
path
.
join
(
os
.
getcwd
(),
*
fixedname
.
split
(
'/'
))
with
zipfile
.
ZipFile
(
TESTFN2
,
'r'
)
as
zipfp
:
writtenfile
=
zipfp
.
extract
(
arcname
)
self
.
assertEqual
(
writtenfile
,
correctfile
)
self
.
check_file
(
correctfile
,
content
)
shutil
.
rmtree
(
fixedname
.
split
(
'/'
)[
0
])
with
zipfile
.
ZipFile
(
TESTFN2
,
'r'
)
as
zipfp
:
zipfp
.
extractall
()
self
.
check_file
(
correctfile
,
content
)
shutil
.
rmtree
(
fixedname
.
split
(
'/'
)[
0
])
os
.
remove
(
TESTFN2
)
def
test_writestr_compression_stored
(
self
):
def
test_writestr_compression_stored
(
self
):
zipfp
=
zipfile
.
ZipFile
(
TESTFN2
,
"w"
)
zipfp
=
zipfile
.
ZipFile
(
TESTFN2
,
"w"
)
zipfp
.
writestr
(
"a.txt"
,
"hello world"
,
compress_type
=
zipfile
.
ZIP_STORED
)
zipfp
.
writestr
(
"a.txt"
,
"hello world"
,
compress_type
=
zipfile
.
ZIP_STORED
)
...
...
Lib/zipfile.py
View file @
addebca7
...
@@ -1229,17 +1229,22 @@ class ZipFile:
...
@@ -1229,17 +1229,22 @@ class ZipFile:
"""
"""
# build the destination pathname, replacing
# build the destination pathname, replacing
# forward slashes to platform specific separators.
# forward slashes to platform specific separators.
# Strip trailing path separator, unless it represents the root.
arcname
=
member
.
filename
.
replace
(
'/'
,
os
.
path
.
sep
)
if
(
targetpath
[
-
1
:]
in
(
os
.
path
.
sep
,
os
.
path
.
altsep
)
and
len
(
os
.
path
.
splitdrive
(
targetpath
)[
1
])
>
1
):
if
os
.
path
.
altsep
:
targetpath
=
targetpath
[:
-
1
]
arcname
=
arcname
.
replace
(
os
.
path
.
altsep
,
os
.
path
.
sep
)
# interpret absolute pathname as relative, remove drive letter or
# don't include leading "/" from file name if present
# UNC path, redundant separators, "." and ".." components.
if
member
.
filename
[
0
]
==
'/'
:
arcname
=
os
.
path
.
splitdrive
(
arcname
)[
1
]
targetpath
=
os
.
path
.
join
(
targetpath
,
member
.
filename
[
1
:])
arcname
=
os
.
path
.
sep
.
join
(
x
for
x
in
arcname
.
split
(
os
.
path
.
sep
)
else
:
if
x
not
in
(
''
,
os
.
path
.
curdir
,
os
.
path
.
pardir
))
targetpath
=
os
.
path
.
join
(
targetpath
,
member
.
filename
)
# filter illegal characters on Windows
if
os
.
path
.
sep
==
'
\
\
'
:
illegal
=
':<>|"?*'
table
=
str
.
maketrans
(
illegal
,
'_'
*
len
(
illegal
))
arcname
=
arcname
.
translate
(
table
)
targetpath
=
os
.
path
.
join
(
targetpath
,
arcname
)
targetpath
=
os
.
path
.
normpath
(
targetpath
)
targetpath
=
os
.
path
.
normpath
(
targetpath
)
# Create all upper directories if necessary.
# Create all upper directories if necessary.
...
...
Misc/NEWS
View file @
addebca7
...
@@ -167,6 +167,9 @@ Core and Builtins
...
@@ -167,6 +167,9 @@ Core and Builtins
Library
Library
-------
-------
- Issue #6972: The zipfile module no longer overwrites files outside of
its destination path when extracting malicious zip files.
- Issue #4844: ZipFile now raises BadZipFile when opens a ZIP file with an
- Issue #4844: ZipFile now raises BadZipFile when opens a ZIP file with an
incomplete "End of Central Directory" record. Original patch by Guilherme
incomplete "End of Central Directory" record. Original patch by Guilherme
Polo and Alan McIntyre.
Polo and Alan McIntyre.
...
@@ -503,6 +506,12 @@ Library
...
@@ -503,6 +506,12 @@ Library
- Issue #15906: Fix a regression in `argparse` caused by the preceding change,
- Issue #15906: Fix a regression in `argparse` caused by the preceding change,
when ``action='
append
'``, ``type='
str
'`` and ``default=[]``.
when ``action='
append
'``, ``type='
str
'`` and ``default=[]``.
Extension Modules
-----------------
- Issue #12268: The io module file object write methods no longer abort early
when one of its write system calls is interrupted (EINTR).
Tests
Tests
-----
-----
...
...
Modules/_io/iobase.c
View file @
addebca7
...
@@ -669,7 +669,10 @@ iobase_writelines(PyObject *self, PyObject *args)
...
@@ -669,7 +669,10 @@ iobase_writelines(PyObject *self, PyObject *args)
break
;
/* Stop Iteration */
break
;
/* Stop Iteration */
}
}
res
=
NULL
;
do
{
res
=
PyObject_CallMethodObjArgs
(
self
,
_PyIO_str_write
,
line
,
NULL
);
res
=
PyObject_CallMethodObjArgs
(
self
,
_PyIO_str_write
,
line
,
NULL
);
}
while
(
res
==
NULL
&&
_PyIO_trap_eintr
());
Py_DECREF
(
line
);
Py_DECREF
(
line
);
if
(
res
==
NULL
)
{
if
(
res
==
NULL
)
{
Py_DECREF
(
iter
);
Py_DECREF
(
iter
);
...
...
Modules/_io/textio.c
View file @
addebca7
...
@@ -1247,8 +1247,11 @@ _textiowrapper_writeflush(textio *self)
...
@@ -1247,8 +1247,11 @@ _textiowrapper_writeflush(textio *self)
Py_DECREF
(
pending
);
Py_DECREF
(
pending
);
if
(
b
==
NULL
)
if
(
b
==
NULL
)
return
-
1
;
return
-
1
;
ret
=
NULL
;
do
{
ret
=
PyObject_CallMethodObjArgs
(
self
->
buffer
,
ret
=
PyObject_CallMethodObjArgs
(
self
->
buffer
,
_PyIO_str_write
,
b
,
NULL
);
_PyIO_str_write
,
b
,
NULL
);
}
while
(
ret
==
NULL
&&
_PyIO_trap_eintr
());
Py_DECREF
(
b
);
Py_DECREF
(
b
);
if
(
ret
==
NULL
)
if
(
ret
==
NULL
)
return
-
1
;
return
-
1
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment