Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-113977, gh-120754: Remove unbounded reads from zipfile #122101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 3, 2024
Merged

gh-113977, gh-120754: Remove unbounded reads from zipfile #122101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1c1c5a3
GH-120754: Remove unbounded reads from zipfile
cmaloney Jul 18, 2024
08cdd79
Update Lib/zipfile/__init__.py
cmaloney Jul 22, 2024
8961b0b
Update Lib/zipfile/__init__.py
cmaloney Jul 22, 2024
6dc8a0b
Don't require reading an EOF
cmaloney Jul 23, 2024
0d6151e
📜🤖 Added by blurb_it.
blurb-it[bot] Jul 23, 2024
7f78854
Merge branch 'main' into cmaloney/zipfile_tweaks
cmaloney Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions Lib/zipfile/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ def _EndRecData(fpin):
fpin.seek(-sizeEndCentDir, 2)
except OSError:
return None
data = fpin.read()
data = fpin.read(sizeEndCentDir)
if (len(data) == sizeEndCentDir and
data[0:4] == stringEndArchive and
data[-2:] == b"\000\000"):
Expand All @@ -329,9 +329,9 @@ def _EndRecData(fpin):
# record signature. The comment is the last item in the ZIP file and may be
# up to 64K long. It is assumed that the "end of central directory" magic
# number does not appear in the comment.
maxCommentStart = max(filesize - (1 << 16) - sizeEndCentDir, 0)
maxCommentStart = max(filesize - ZIP_MAX_COMMENT - sizeEndCentDir, 0)
fpin.seek(maxCommentStart, 0)
data = fpin.read()
data = fpin.read(ZIP_MAX_COMMENT + sizeEndCentDir)
start = data.rfind(stringEndArchive)
if start >= 0:
# found the magic number; attempt to unpack and interpret
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Library/2024-07-23-02-24-50.gh-issue-120754.nHb5mG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Update unbounded ``read`` calls in :mod:`zipfile` to specify an explicit ``size`` putting a limit on how much data they may read. This also updates handling around ZIP max comment size to match the standard instead of reading comments that are one byte too long.
Loading