Message 337543 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	CristiFati
Recipients	CristiFati
Date	2019-03-08.22:56:50
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1552085810.83.0.29138554052.issue36247@roundup.psfhosted.org>
In-reply-to

Content
PKWARE encryption password pre check algorithm (relying on an 8 bits value to differentiate passwords) is insanely short. Most of the wrong passwords are filtered out by the check, but some of them aren't. For the ones in the latter category, when trying to extract an archive member, a 0 lengthed file with its name will be created on the FS (overwriting any previous version). Usecase: 1. Extract an archive member using the good password. File extracted 2. Extract the same member using a wrong password: 2.1 For most of the passwords, they will be detected and the operation cancelled 2.2 But some of them, they won't be detected (false positives), but the decryption itself will fail overwriting the file (from #1.) on FS but leaving it with 0 bytes content This is the about #2.2. More details on [[SO]: zipfile.BadZipFile: Bad CRC-32 when extracting a password protected .zip & .zip goes corrupt on extract (@CristiFati's answer)](https://stackoverflow.com/questions/54532010/zipfile-badzipfile-bad-crc-32-when-extracting-a-password-protected-zip-zip/55063500#55063500).

PKWARE encryption password pre check algorithm (relying on an 8 bits value to differentiate passwords) is insanely short.

Most of the wrong passwords are filtered out by the check, but some of them aren't. For the ones in the latter category, when trying to extract an archive member, a 0 lengthed file with its name will be created on the FS (overwriting any previous version).

Usecase:

1. Extract an archive member using the good password. File extracted
2. Extract the same member using a wrong password:
    2.1 For most of the passwords, they will be detected and the operation cancelled
    2.2 But some of them, they won't be detected (false positives), but the decryption itself will fail overwriting the file (from #1.) on FS but leaving it with 0 bytes content

This is the about #2.2.

More details on [[SO]: zipfile.BadZipFile: Bad CRC-32 when extracting a password protected .zip & .zip goes corrupt on extract (@CristiFati's answer)](https://stackoverflow.com/questions/54532010/zipfile-badzipfile-bad-crc-32-when-extracting-a-password-protected-zip-zip/55063500#55063500).

History
Date	User	Action	Args
2019-03-08 22:56:50	CristiFati	set	recipients: + CristiFati
2019-03-08 22:56:50	CristiFati	set	messageid: <1552085810.83.0.29138554052.issue36247@roundup.psfhosted.org>
2019-03-08 22:56:50	CristiFati	link	issue36247 messages
2019-03-08 22:56:50	CristiFati	create