[New-bugs-announce] [issue29739] zipfile raises wrong exception for some incorrect passwords

Mon Mar 6 15:48:19 EST 2017

New submission from Jack Cushman:

This bug arises when attempting to unzip a password-protected zipfile using the wrong password.

Usually when zipfile extraction is attempted with an incorrect password, zipfile raise `RuntimeError("Bad password for file")`. But for a small subset of passwords (about .4% of possible passwords), it instead raises `BadZipfile("Bad CRC-32 for file")`.

Attached is a script that attempts to decrypt a zip file using every 3-letter uppercase password. (This assumes you have first created the zip file, by running something like: `echo "stuff" > /tmp/foo.txt; zip -e -P password /tmp/foo.zip /tmp/foo.txt`.)

The specific passwords that trigger the wrong exception will vary each time the zip file is created. On my system, for a particular zip file, the result is this output:

BadZipFile b'ACB'
BadZipFile b'AMJ'
BadZipFile b'ASL'
BadZipFile b'AZV'
BadZipFile b'BCI'
BadZipFile b'BMV'
BadZipFile b'BQG'
BadZipFile b'BRB'
BadZipFile b'BYH'
BadZipFile b'CHU'
BadZipFile b'CTV'
BadZipFile b'DEF'
BadZipFile b'DHJ'
BadZipFile b'DSR'
BadZipFile b'EWG'
BadZipFile b'GOK'
BadZipFile b'GUK'
BadZipFile b'HGL'
BadZipFile b'HPV'
BadZipFile b'IAC'
BadZipFile b'IGQ'
BadZipFile b'IHG'
BadZipFile b'ILB'
BadZipFile b'IRJ'
BadZipFile b'JDW'
BadZipFile b'JIT'
BadZipFile b'JMK'
BadZipFile b'JPD'
BadZipFile b'JWL'
BadZipFile b'JXS'
BadZipFile b'KAR'
BadZipFile b'KKH'
BadZipFile b'LNW'
BadZipFile b'MEL'
BadZipFile b'NDY'
BadZipFile b'NFJ'
BadZipFile b'NLU'
BadZipFile b'NQU'
BadZipFile b'OXC'
BadZipFile b'PHA'
BadZipFile b'PQY'
BadZipFile b'QCN'
BadZipFile b'QFT'
BadZipFile b'QMB'
BadZipFile b'QWZ'
BadZipFile b'QYS'
BadZipFile b'RBR'
BadZipFile b'SKU'
BadZipFile b'SLG'
BadZipFile b'STU'
BadZipFile b'SUP'
BadZipFile b'UCD'
BadZipFile b'UOA'
BadZipFile b'UQM'
BadZipFile b'VAO'
BadZipFile b'VEQ'
BadZipFile b'VJW'
BadZipFile b'VVH'
BadZipFile b'WDA'
BadZipFile b'XCR'
BadZipFile b'XIY'
BadZipFile b'XLG'
BadZipFile b'YJA'
BadZipFile b'YMA'
BadZipFile b'YRB'
BadZipFile b'ZHT'
BadZipFile b'ZVJ'
BadZipFile b'ZWR'
BadZipFile b'ZZT'
69 out of 17576 passwords raise BadZipFile

Versions:

I reproduced this in Python 2.7.10 and 3.6.0, using a zip file created on Mac OS 10.12.3 with this zip version: 

$ zip --version
Copyright (c) 1990-2008 Info-ZIP - Type 'zip "-L"' for software license.
This is Zip 3.0 (July 5th 2008), by Info-ZIP.
Compiled with gcc 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34) for Unix (Mac OS X) on Jul 30 2016.

----------
components: Library (Lib)
files: fail.py
messages: 289132
nosy: jcushman
priority: normal
severity: normal
status: open
title: zipfile raises wrong exception for some incorrect passwords
type: behavior
versions: Python 2.7, Python 3.6
Added file: http://bugs.python.org/file46706/fail.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29739>
_______________________________________