➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2011-01-09 22:17 by Kira.Erethon, last changed 2022-04-11 14:57 by admin. This issue is now closed.
| Messages (10) | |||
|---|---|---|---|
| msg125867 - (view) | Author: Kira Erethon (Kira.Erethon) | Date: 2011-01-09 22:17 | |
Was playing around with Zipfile and passwords in zip files and I noticed that when the password on zipfile.setpassword(pwd) was set 610, the program crashed with the following errors File "/usr/lib/python2.6/zipfile.py", line 938, in extractall self.extract(zipinfo, path, pwd) File "/usr/lib/python2.6/zipfile.py", line 926, in extract return self._extract_member(member, path, pwd) File "/usr/lib/python2.6/zipfile.py", line 971, in _extract_member shutil.copyfileobj(source, target) File "/usr/lib/python2.6/shutil.py", line 28, in copyfileobj buf = fsrc.read(length) File "/usr/lib/python2.6/zipfile.py", line 612, in read newdata = self.dc.decompress(newdata) zlib.error: Error -3 while decompressing: invalid distance too far back |
|||
| msg125871 - (view) | Author: Eric V. Smith (eric.smith) *  |
Date: 2011-01-09 22:42 | |
What do you mean by "is set to 610"? Can you show us the code that caused this error? |
|||
| msg125872 - (view) | Author: Kira Erethon (Kira.Erethon) | Date: 2011-01-09 23:12 | |
Ok, I tried recreating the bug and found out that I couldn't. Originally this happened when I tried to find the password of a zip file through a dictionary attack. The code I used is this:
import zipfile
zfile=raw_input("Please input zip's file name\n")
diction=raw_input("Please input dictionary\n")
found = False
zipf = zipfile.ZipFile( zfile, 'r' )
f = open(diction, 'r')
for line in f:
pswd = line
pswd = pswd[:-1]
zipf.setpassword(pswd)
try:
zipf.extractall()
found = True
break
except RuntimeError:
continue
zipf.close()
First time I encountered the bug was when on my dictionary I had all the numbers from 000 to 999 and saw that it crashed at 610. Now it crashes at 844.Even when I do this
import zipfile
zfile=raw_input("Please input zip's file name\n")
zipf = zipfile.ZipFile( zfile, 'r' )
zipf.setpassword('844')
zipf.extractall()
zipf.close()
it crashes with the error in my first post.
If this is any help, i'm using python 2.6.6 on linux and the number changed from 610 to 844 when I opened a new terminal window.
|
|||
| msg125873 - (view) | Author: Kira Erethon (Kira.Erethon) | Date: 2011-01-09 23:37 | |
Update, tried this in another machine of mine, same exact code and this time it crashes at 68 |
|||
| msg125896 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2011-01-10 11:34 | |
Well, the password-checking scheme uses a one-byte check against the zip header for consistency. So there is a (near) 1/256 chance of false positives, that is of bad passwords mistakenly detected as good; then the ZipFile class proceeds with unarchiving and that's where things fail (because the "decrypted" stream is really junk). Therefore, I'd call it not a bug. If you want to crack a password, you need to trap this exception and interpret it as "bad password". |
|||
| msg126505 - (view) | Author: Kira Erethon (Kira.Erethon) | Date: 2011-01-19 00:06 | |
Sorry to re-open this, but I consider it an important bug. Tried it in 3.1 also and it's still there. To sum up what's happening, zipfile sometimes considers a false password to be correct and proceeds with decrypting the file. Is there a workaround in this? Or even checking if a file has been decrypted correctly? |
|||
| msg126508 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2011-01-19 00:17 | |
As I already explained: * why it doesn't detect that the password is bad is because the ZIP format is not well-designed enough * you can catch the zlib error which indicates that decryption returned junk |
|||
| msg126511 - (view) | Author: Kira Erethon (Kira.Erethon) | Date: 2011-01-19 00:47 | |
I'm catching all errors and exceptions and zipfile still decompresses it, that's what I've been trying to tell you. I don't face my original problem anymore, I'm catching that exception, now zipfile considers some passwords to be correct and throw no exception, it just decompresses the file (which contains junk since the password was wrong). That's for the second bullet of your message. |
|||
| msg126512 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2011-01-19 00:53 | |
> I'm catching all errors and exceptions and zipfile still decompresses > it, that's what I've been trying to tell you. I don't face my original > problem anymore, I'm catching that exception, now zipfile considers > some passwords to be correct and throw no exception, it just > decompresses the file (which contains junk since the password was > wrong). That's for the second bullet of your message. Then I suppose the file(s) inside the zip archive are not compressed, or the compressed contents are miraculously "good" enough for the zlib not to complain. But, really, unless you have a precise solution to propose, that's nothing Python can do anything about. (of course, if you have an idea about the contents of that zip file, you can devise an application-specific algorithm for validating the contents) |
|||
| msg126513 - (view) | Author: Kira Erethon (Kira.Erethon) | Date: 2011-01-19 01:03 | |
I'm a newbie in python and tried this in order to learn.I created all the zip files (first created a .txt file and zipped it with a password), so I know the file inside the zip is encrypted ( ofc I know the password too). Tried this with different .txt files and file names just in case there was some problem with the naming (didn't use any unicode file names). I'm not really at a level I can propose a solution, only thing I know is that zipfile can "decompress" the same file with 4 or more passwords without throwing any exception. Of course only one of those passwords is correct. So, bottom line is it's a problem of the zip format and not Python eh? |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:57:11 | admin | set | github: 55085 |
| 2013-06-05 01:55:55 | r.david.murray | link | issue18134 superseder |
| 2011-01-19 01:03:24 | Kira.Erethon | set | nosy:
pitrou, eric.smith, Kira.Erethon messages: + msg126513 |
| 2011-01-19 00:53:14 | pitrou | set | nosy:
pitrou, eric.smith, Kira.Erethon messages: + msg126512 |
| 2011-01-19 00:47:49 | Kira.Erethon | set | nosy:
pitrou, eric.smith, Kira.Erethon messages: + msg126511 |
| 2011-01-19 00:17:53 | pitrou | set | status: open -> closed messages: + msg126508 resolution: not a bug nosy: pitrou, eric.smith, Kira.Erethon |
| 2011-01-19 00:07:10 | Kira.Erethon | set | nosy:
pitrou, eric.smith, Kira.Erethon components: + Library (Lib), - Extension Modules |
| 2011-01-19 00:06:56 | Kira.Erethon | set | status: closed -> open title: Zipfile crashes when zip password is set to 610/844/numerous other numbers -> Zipfile sometimes considers a false password to be correct nosy: pitrou, eric.smith, Kira.Erethon messages: + msg126505 resolution: not a bug -> (no value) |
| 2011-01-10 11:34:38 | pitrou | set | status: open -> closed type: crash -> behavior versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6 nosy: + pitrou messages: + msg125896 resolution: not a bug |
| 2011-01-09 23:37:08 | Kira.Erethon | set | messages:
+ msg125873 title: Zipfile crashes when zip password is set to 610/844 -> Zipfile crashes when zip password is set to 610/844/numerous other numbers |
| 2011-01-09 23:15:01 | Kira.Erethon | set | title: Zipfile crashes when zip password is set to 610 -> Zipfile crashes when zip password is set to 610/844 |
| 2011-01-09 23:12:19 | Kira.Erethon | set | messages: + msg125872 |
| 2011-01-09 22:42:06 | eric.smith | set | nosy:
+ eric.smith messages: + msg125871 |
| 2011-01-09 22:19:32 | Kira.Erethon | set | title: Zipfile crashes when zip password is 610 -> Zipfile crashes when zip password is set to 610 |
| 2011-01-09 22:17:42 | Kira.Erethon | create | |