]> granicus.if.org Git - python/commitdiff
Bug #1413790: zipfile now sanitizes absolute archive names that are
authorGeorg Brandl <georg@python.org>
Mon, 20 Feb 2006 08:40:38 +0000 (08:40 +0000)
committerGeorg Brandl <georg@python.org>
Mon, 20 Feb 2006 08:40:38 +0000 (08:40 +0000)
not allowed by the specs.

Doc/lib/libzipfile.tex
Lib/test/test_zipfile.py
Lib/zipfile.py
Misc/NEWS

index a0b5e63be20b81f0bec5ae72af9929b48f468d81..32ca3e02a41aca8aaf539f0a98dcd4b85741b581 100644 (file)
@@ -140,10 +140,13 @@ cat myzip.zip >> python.exe
                           compress_type}}}
   Write the file named \var{filename} to the archive, giving it the
   archive name \var{arcname} (by default, this will be the same as
-  \var{filename}).  If given, \var{compress_type} overrides the value
+  \var{filename}, but without a drive letter and with leading path
+  separators removed).  If given, \var{compress_type} overrides the value
   given for the \var{compression} parameter to the constructor for
   the new entry.  The archive must be open with mode \code{'w'} or
-  \code{'a'}. 
+  \code{'a'}.
+  \note{Archive names should be relative to the archive root, that is,
+        they should not start with a path separator.}
 \end{methoddesc}
 
 \begin{methoddesc}{writestr}{zinfo_or_arcname, bytes}
index 57e7423d6a39138ebaec324cec5f2d73a979c427..9fadc30f20fcb3b4da4cdc16878afb86bbf19c7a 100644 (file)
@@ -45,6 +45,16 @@ class TestsWithSourceFile(unittest.TestCase):
             for f in (TESTFN2, TemporaryFile(), StringIO()):
                 self.zipTest(f, zipfile.ZIP_DEFLATED)
 
+    def testAbsoluteArcnames(self):
+        zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED)
+        zipfp.write(TESTFN, "/absolute")
+        zipfp.close()
+
+        zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED)
+        self.assertEqual(zipfp.namelist(), ["absolute"])
+        zipfp.close()
+        
+
     def tearDown(self):
         os.remove(TESTFN)
         os.remove(TESTFN2)
index 037843c86da4c5fb2ba21ced76f11ac3f0c4c7d3..168d24502d8cfa60a212e61d524aa82e0cb447e0 100644 (file)
@@ -397,9 +397,11 @@ class ZipFile:
         date_time = mtime[0:6]
         # Create ZipInfo instance to store file information
         if arcname is None:
-            zinfo = ZipInfo(filename, date_time)
-        else:
-            zinfo = ZipInfo(arcname, date_time)
+            arcname = filename
+        arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
+        while arcname[0] in (os.sep, os.altsep):
+            arcname = arcname[1:]
+        zinfo = ZipInfo(arcname, date_time)
         zinfo.external_attr = (st[0] & 0xFFFF) << 16L      # Unix attributes
         if compress_type is None:
             zinfo.compress_type = self.compression
index 32f6047385dec6e8aa5ec4ddf30b6fb136aaa960..28895c4a1d40e67d6bae67b76b32e0a5883149ce 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -372,6 +372,12 @@ Extension Modules
 Library
 -------
 
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
 - Patch #1215184: FileInput now can be given an opening hook which can
   be used to control how files are opened.