mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Bug #1413790: zipfile now sanitizes absolute archive names that are

Browse source 
not allowed by the specs.
This commit is contained in:
Georg Brandl 2006-02-20 08:40:38 +00:00
parent 200a58058a
commit 8f7c54eaa5
4 changed files with 26 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Doc/lib/libzipfile.tex
View file

@ -140,10 +140,13 @@ cat myzip.zip >> python.exe
compress_type}}} compress_type}}}
Write the file named \var{filename} to the archive, giving it the Write the file named \var{filename} to the archive, giving it the
archive name \var{arcname} (by default, this will be the same as archive name \var{arcname} (by default, this will be the same as
\var{filename}). If given, \var{compress_type} overrides the value \var{filename}, but without a drive letter and with leading path
separators removed). If given, \var{compress_type} overrides the value
given for the \var{compression} parameter to the constructor for given for the \var{compression} parameter to the constructor for
the new entry. The archive must be open with mode \code{'w'} or the new entry. The archive must be open with mode \code{'w'} or
\code{'a'}. \code{'a'}.
\note{Archive names should be relative to the archive root, that is,
they should not start with a path separator.}
\end{methoddesc} \end{methoddesc}
\begin{methoddesc}{writestr}{zinfo_or_arcname, bytes} \begin{methoddesc}{writestr}{zinfo_or_arcname, bytes}

10
Lib/test/test_zipfile.py
View file

@ -45,6 +45,16 @@ class TestsWithSourceFile(unittest.TestCase):
for f in (TESTFN2, TemporaryFile(), StringIO()): for f in (TESTFN2, TemporaryFile(), StringIO()):
self.zipTest(f, zipfile.ZIP_DEFLATED) self.zipTest(f, zipfile.ZIP_DEFLATED)
def testAbsoluteArcnames(self):
zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED)
zipfp.write(TESTFN, "/absolute")
zipfp.close()
zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED)
self.assertEqual(zipfp.namelist(), ["absolute"])
zipfp.close()
def tearDown(self): def tearDown(self):
os.remove(TESTFN) os.remove(TESTFN)
os.remove(TESTFN2) os.remove(TESTFN2)

6
Lib/zipfile.py
View file

@ -397,8 +397,10 @@ class ZipFile:
date_time = mtime[0:6] date_time = mtime[0:6]
# Create ZipInfo instance to store file information # Create ZipInfo instance to store file information
if arcname is None: if arcname is None:
zinfo = ZipInfo(filename, date_time) arcname = filename
else: arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
while arcname[0] in (os.sep, os.altsep):
arcname = arcname[1:]
zinfo = ZipInfo(arcname, date_time) zinfo = ZipInfo(arcname, date_time)
zinfo.external_attr = (st[0] & 0xFFFF) << 16L # Unix attributes zinfo.external_attr = (st[0] & 0xFFFF) << 16L # Unix attributes
if compress_type is None: if compress_type is None:

6
Misc/NEWS
View file

@ -372,6 +372,12 @@ Extension Modules
Library Library
------- -------
- Bug #1413790: zipfile now sanitizes absolute archive names that are
not allowed by the specs.
- Bug #1413790: zipfile now sanitizes absolute archive names that are
not allowed by the specs.
- Patch #1215184: FileInput now can be given an opening hook which can - Patch #1215184: FileInput now can be given an opening hook which can
be used to control how files are opened. be used to control how files are opened.