Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zipfile extractall accepts wrong password #62334

Closed
benedictkwok mannequin opened this issue Jun 4, 2013 · 2 comments
Closed

zipfile extractall accepts wrong password #62334

benedictkwok mannequin opened this issue Jun 4, 2013 · 2 comments
Labels
type-security A security issue

Comments

@benedictkwok
Copy link
Mannequin

benedictkwok mannequin commented Jun 4, 2013

BPO 18134
Nosy @vstinner, @bitdancer
Superseder
  • bpo-10876: Zipfile sometimes considers a false password to be correct
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2013-06-05.01:55:55.668>
created_at = <Date 2013-06-04.20:24:26.310>
labels = ['type-security']
title = 'zipfile extractall accepts wrong password'
updated_at = <Date 2013-06-05.01:55:55.647>
user = 'https://bugs.python.org/benedictkwok'

    bugs.python.org fields:

    activity = <Date 2013-06-05.01:55:55.647>
actor = 'r.david.murray'
assignee = 'none'
closed = True
closed_date = <Date 2013-06-05.01:55:55.668>
closer = 'r.david.murray'
components = []
creation = <Date 2013-06-04.20:24:26.310>
creator = 'benedictkwok'
dependencies = []
files = []
hgrepos = []
issue_num = 18134
keywords = []
message_count = 2.0
messages = ['190610', '190638']
nosy_count = 3.0
nosy_names = ['vstinner', 'r.david.murray', 'benedictkwok']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '10876'
type = 'security'
url = 'https://bugs.python.org/issue18134'
versions = ['Python 2.7']
    @benedictkwok
    Copy link
    Mannequin Author

    benedictkwok mannequin commented Jun 4, 2013

    Steps to reproduce:

    1. create a ssn.txt file with social security numbers of customers
    2. create a zip file with a password: zip -P secret ssn ssn.txt
    3. create a python script to extract the zipfile by:
      import=zipfile
      zFile=zipfile.ZipFile("ssn.zip")
      try:
      zFile.extractall(pwd="secret")
      except Exception, e:
      print e

    This will extract the ssn.txt into the directory by using the right password "secret"different
    4) However, by using a wrong password "proa" this does not get the exception. Instead create a ssn.txt file which is corrupted.
    5) Other wrong password will get the exception but not the one descripted in step 4.

    @benedictkwok benedictkwok mannequin added the type-security A security issue label Jun 4, 2013
    @bitdancer
    Copy link
    Member

    This is a duplicate of bpo-10876. According to that issue it is a bug in the zipfile format.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @bitdancer