classification
Title: Zipfile.testzip considers wrong password as correct
Type: behavior Stage:
Components: Library (Lib) Versions:
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Amir, eric.smith
Priority: normal Keywords:

Created on 2020-09-12 06:38 by Amir, last changed 2020-09-12 22:40 by eric.smith.

Files
File name Uploaded Description Edit
poc.py Amir, 2020-09-12 06:49
encrypted.zip Amir, 2020-09-12 06:50
Messages (2)
msg376783 - (view) Author: Amir Mohamadi (Amir) * Date: 2020-09-12 06:49
Zipfile.testzip sometimes works perfectly with wrong password. refer to poc.py I've a zip file with password '76453' and when I try a wrong password with extractall:

    myzip.setpassword('10006050')
    myzip.extractall()

it raises a Bad CRC-32 exception. but when I try testzip instead of extractall:

    myzip.setpassword('10006050')
    myzip.testzip()

no exception is raised
msg376813 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2020-09-12 22:40
I believe what testzip is doing is validating the structural integrity of the file, which appears can be tested without decrypting the contents.

Although it is odd that if you don't call setpassword, even with the wrong password, testzip will raise a RuntimeError.

See https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption for a few scant details.
History
Date User Action Args
2020-09-12 22:40:34eric.smithsetnosy: + eric.smith
messages: + msg376813
2020-09-12 06:50:14Amirsetfiles: + encrypted.zip
2020-09-12 06:49:58Amirsetfiles: + poc.py

messages: + msg376783
2020-09-12 06:38:10Amircreate