[Python-checkins] r42508 - in python/trunk: Doc/lib/libzipfile.tex Lib/test/test_zipfile.py Lib/zipfile.py Misc/NEWS

georg.brandl python-checkins at python.org
Mon Feb 20 09:40:44 CET 2006 

Author: georg.brandl
Date: Mon Feb 20 09:40:38 2006
New Revision: 42508

Modified:
   python/trunk/Doc/lib/libzipfile.tex
   python/trunk/Lib/test/test_zipfile.py
   python/trunk/Lib/zipfile.py
   python/trunk/Misc/NEWS
Log:
Bug #1413790: zipfile now sanitizes absolute archive names that are
not allowed by the specs.


Modified: python/trunk/Doc/lib/libzipfile.tex
==============================================================================
--- python/trunk/Doc/lib/libzipfile.tex	(original)
+++ python/trunk/Doc/lib/libzipfile.tex	Mon Feb 20 09:40:38 2006
@@ -140,10 +140,13 @@
                           compress_type}}}
   Write the file named \var{filename} to the archive, giving it the
   archive name \var{arcname} (by default, this will be the same as
-  \var{filename}).  If given, \var{compress_type} overrides the value
+  \var{filename}, but without a drive letter and with leading path
+  separators removed).  If given, \var{compress_type} overrides the value
   given for the \var{compression} parameter to the constructor for
   the new entry.  The archive must be open with mode \code{'w'} or
-  \code{'a'}. 
+  \code{'a'}.
+  \note{Archive names should be relative to the archive root, that is,
+        they should not start with a path separator.}
 \end{methoddesc}
 
 \begin{methoddesc}{writestr}{zinfo_or_arcname, bytes}

Modified: python/trunk/Lib/test/test_zipfile.py
==============================================================================
--- python/trunk/Lib/test/test_zipfile.py	(original)
+++ python/trunk/Lib/test/test_zipfile.py	Mon Feb 20 09:40:38 2006
@@ -45,6 +45,16 @@
             for f in (TESTFN2, TemporaryFile(), StringIO()):
                 self.zipTest(f, zipfile.ZIP_DEFLATED)
 
+    def testAbsoluteArcnames(self):
+        zipfp = zipfile.ZipFile(TESTFN2, "w", zipfile.ZIP_STORED)
+        zipfp.write(TESTFN, "/absolute")
+        zipfp.close()
+
+        zipfp = zipfile.ZipFile(TESTFN2, "r", zipfile.ZIP_STORED)
+        self.assertEqual(zipfp.namelist(), ["absolute"])
+        zipfp.close()
+        
+
     def tearDown(self):
         os.remove(TESTFN)
         os.remove(TESTFN2)

Modified: python/trunk/Lib/zipfile.py
==============================================================================
--- python/trunk/Lib/zipfile.py	(original)
+++ python/trunk/Lib/zipfile.py	Mon Feb 20 09:40:38 2006
@@ -397,9 +397,11 @@
         date_time = mtime[0:6]
         # Create ZipInfo instance to store file information
         if arcname is None:
-            zinfo = ZipInfo(filename, date_time)
-        else:
-            zinfo = ZipInfo(arcname, date_time)
+            arcname = filename
+        arcname = os.path.normpath(os.path.splitdrive(arcname)[1])
+        while arcname[0] in (os.sep, os.altsep):
+            arcname = arcname[1:]
+        zinfo = ZipInfo(arcname, date_time)
         zinfo.external_attr = (st[0] & 0xFFFF) << 16L      # Unix attributes
         if compress_type is None:
             zinfo.compress_type = self.compression

Modified: python/trunk/Misc/NEWS
==============================================================================
--- python/trunk/Misc/NEWS	(original)
+++ python/trunk/Misc/NEWS	Mon Feb 20 09:40:38 2006
@@ -372,6 +372,12 @@
 Library
 -------
 
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
+- Bug #1413790: zipfile now sanitizes absolute archive names that are
+  not allowed by the specs.
+
 - Patch #1215184: FileInput now can be given an opening hook which can
   be used to control how files are opened.

More information about the Python-checkins mailing list