Bug #1413790: zipfile now sanitizes absolute archive names that are

not allowed by the specs.
2006-02-20 08:40:38 +00:00 · 2006-02-20 08:40:38 +00:00 · 8f7c54eaa5
parent 200a58058a
commit 8f7c54eaa5
4 changed files with 26 additions and 5 deletions
--- a/Doc/lib/libzipfile.tex
+++ b/Doc/lib/libzipfile.tex
@ -140,10 +140,13 @@ cat myzip.zip >> python.exe
                          compress_type}}}
  Write the file named \var{filename} to the archive, giving it the
  archive name \var{arcname} (by default, this will be the same as
-  \var{filename}).  If given, \var{compress_type} overrides the value
+  \var{filename}, but without a drive letter and with leading path
+  separators removed).  If given, \var{compress_type} overrides the value
  given for the \var{compression} parameter to the constructor for
  the new entry.  The archive must be open with mode \code{'w'} or
-  \code{'a'}. 
+  \code{'a'}.
+  \note{Archive names should be relative to the archive root, that is,
+        they should not start with a path separator.}
 \end{methoddesc}

 \begin{methoddesc}{writestr}{zinfo_or_arcname, bytes}
--- a/Lib/test/test_zipfile.py
+++ b/Lib/test/test_zipfile.py
@ -45,6 +45,16 @@ class TestsWithSourceFile(unittest.TestCase):
            for f in (TESTFN2, TemporaryFile(), StringIO()):
                self.zipTest(f, zipfile.ZIP_DEFLATED)

+    def testAbsoluteArcnames(self):
+        zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED)
+        zipfp.write(TESTFN, "/absolute")
+        zipfp.close()
+
+        zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED)
+        self.assertEqual(zipfp.namelist(), ["absolute"])
+        zipfp.close()
+        
+
    def tearDown(self):
        os.remove(TESTFN)
        os.remove(TESTFN2)
--- a/Lib/zipfile.py
+++ b/Lib/zipfile.py
@ -397,9 +397,11 @@ class ZipFile:
        date_time = mtime[0:6]
        # Create ZipInfo instance to store file information
        if arcname is None:
-            zinfo = ZipInfo(filename, date_time)
-        else:
-            zinfo = ZipInfo(arcname, date_time)
+            arcname = filename
+        arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
+        while arcname[0] in (os.sep, os.altsep):
+            arcname = arcname[1:]
+        zinfo = ZipInfo(arcname, date_time)
        zinfo.external_attr = (st[0] & 0xFFFF) << 16L      # Unix attributes
        if compress_type is None:
            zinfo.compress_type = self.compression
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -372,6 +372,12 @@ Extension Modules
 Library
 -------

+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
 - Patch #1215184: FileInput now can be given an opening hook which can
  be used to control how files are opened.