mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 17:08:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

gh-117779: Fix reading duplicated entries in zipfile by name (GH-129254)

Browse source
This commit is contained in:
Serhiy Storchaka 2025-04-08 13:56:42 +03:00 committed by GitHub
parent ac3c439cdf
commit 0f04f2456a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 121 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Lib/zipfile/__init__.py
View file

@ -1552,9 +1552,8 @@ class ZipFile:
print("total", total)
end_offset = self.start_dir
for zinfo in sorted(self.filelist,
key=lambda zinfo: zinfo.header_offset,
reverse=True):
for zinfo in reversed(sorted(self.filelist,
key=lambda zinfo: zinfo.header_offset)):
zinfo._end_offset = end_offset
end_offset = zinfo.header_offset
@ -1722,7 +1721,16 @@ class ZipFile:
if (zinfo._end_offset is not None and
zef_file.tell() + zinfo.compress_size > zinfo._end_offset):
raise BadZipFile(f"Overlapped entries: {zinfo.orig_filename!r} (possible zip bomb)")
if zinfo._end_offset == zinfo.header_offset:
import warnings
warnings.warn(
f"Overlapped entries: {zinfo.orig_filename!r} "
f"(possible zip bomb)",
skip_file_prefixes=(os.path.dirname(__file__),))
else:
raise BadZipFile(
f"Overlapped entries: {zinfo.orig_filename!r} "
f"(possible zip bomb)")
# check for encrypted flag & handle password
is_encrypted = zinfo.flag_bits & _MASK_ENCRYPTED