Skip to content

Commit d8877aa

Browse files
serhiy-storchakamcepl
serhiy-storchaka
authored and
mcepl
committed
[CVE-2024-0450] Protect zipfile from "quoted-overlap" zipbomb
Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9) From-PR: gh#python/cpython!110016 Fixes: gh#python#109858 Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
1 parent 9ec41b7 commit d8877aa

File tree

3 files changed

+76
-0
lines changed

3 files changed

+76
-0
lines changed

Lib/test/test_zipfile.py

+61
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
from tempfile import TemporaryFile
1414
from random import randint, random, getrandbits
15+
from unittest import mock
1516

1617
from test.support import script_helper
1718
from test.support import (TESTFN, findfile, unlink, rmtree, temp_dir, temp_cwd,
@@ -1610,6 +1611,66 @@ def test_open_conflicting_handles(self):
16101611
self.assertEqual(zipf.read('baz'), msg3)
16111612
self.assertEqual(zipf.namelist(), ['foo', 'bar', 'baz'])
16121613

1614+
@requires_zlib
1615+
def test_full_overlap(self):
1616+
data = (
1617+
b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
1618+
b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00a\xed'
1619+
b'\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\d\x0b`P'
1620+
b'K\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2'
1621+
b'\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00'
1622+
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00aPK'
1623+
b'\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
1624+
b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00\x00'
1625+
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bPK\x05'
1626+
b'\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00\x00/\x00\x00'
1627+
b'\x00\x00\x00'
1628+
)
1629+
with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
1630+
self.assertEqual(zipf.namelist(), ['a', 'b'])
1631+
zi = zipf.getinfo('a')
1632+
self.assertEqual(zi.header_offset, 0)
1633+
self.assertEqual(zi.compress_size, 16)
1634+
self.assertEqual(zi.file_size, 1033)
1635+
zi = zipf.getinfo('b')
1636+
self.assertEqual(zi.header_offset, 0)
1637+
self.assertEqual(zi.compress_size, 16)
1638+
self.assertEqual(zi.file_size, 1033)
1639+
self.assertEqual(len(zipf.read('a')), 1033)
1640+
with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'):
1641+
zipf.read('b')
1642+
1643+
@requires_zlib
1644+
def test_quoted_overlap(self):
1645+
data = (
1646+
b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc'
1647+
b'8\x044\x00\x00\x00(\x04\x00\x00\x01\x00\x00\x00a\x00'
1648+
b'\x1f\x00\xe0\xffPK\x03\x04\x14\x00\x00\x00\x08\x00\xa0l'
1649+
b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
1650+
b'\x00\x00b\xed\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\'
1651+
b'd\x0b`PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0'
1652+
b'lH\x05Y\xfc8\x044\x00\x00\x00(\x04\x00\x00\x01'
1653+
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
1654+
b'\x00aPK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0l'
1655+
b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
1656+
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x00\x00'
1657+
b'bPK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00'
1658+
b'\x00S\x00\x00\x00\x00\x00'
1659+
)
1660+
with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
1661+
self.assertEqual(zipf.namelist(), ['a', 'b'])
1662+
zi = zipf.getinfo('a')
1663+
self.assertEqual(zi.header_offset, 0)
1664+
self.assertEqual(zi.compress_size, 52)
1665+
self.assertEqual(zi.file_size, 1064)
1666+
zi = zipf.getinfo('b')
1667+
self.assertEqual(zi.header_offset, 36)
1668+
self.assertEqual(zi.compress_size, 16)
1669+
self.assertEqual(zi.file_size, 1033)
1670+
with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'):
1671+
zipf.read('a')
1672+
self.assertEqual(len(zipf.read('b')), 1033)
1673+
16131674
def tearDown(self):
16141675
unlink(TESTFN)
16151676
unlink(TESTFN2)

Lib/zipfile.py

+12
Original file line numberDiff line numberDiff line change
@@ -338,6 +338,7 @@ class ZipInfo (object):
338338
'compress_size',
339339
'file_size',
340340
'_raw_time',
341+
'_end_offset',
341342
)
342343

343344
def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):
@@ -376,6 +377,7 @@ def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):
376377
self.volume = 0 # Volume number of file header
377378
self.internal_attr = 0 # Internal attributes
378379
self.external_attr = 0 # External file attributes
380+
self._end_offset = None # Start of the next local header or central directory
379381
# Other attributes are set by class ZipFile:
380382
# header_offset Byte offset to the file header
381383
# CRC CRC-32 of the uncompressed file
@@ -1278,6 +1280,12 @@ def _RealGetContents(self):
12781280
if self.debug > 2:
12791281
print("total", total)
12801282

1283+
end_offset = self.start_dir
1284+
for zinfo in sorted(self.filelist,
1285+
key=lambda zinfo: zinfo.header_offset,
1286+
reverse=True):
1287+
zinfo._end_offset = end_offset
1288+
end_offset = zinfo.header_offset
12811289

12821290
def namelist(self):
12831291
"""Return a list of file names in the archive."""
@@ -1432,6 +1440,10 @@ def open(self, name, mode="r", pwd=None, *, force_zip64=False):
14321440
'File name in directory %r and header %r differ.'
14331441
% (zinfo.orig_filename, fname))
14341442

1443+
if (zinfo._end_offset is not None and
1444+
zef_file.tell() + zinfo.compress_size > zinfo._end_offset):
1445+
raise BadZipFile(f"Overlapped entries: {zinfo.orig_filename!r} (possible zip bomb)")
1446+
14351447
# check for encrypted flag & handle password
14361448
is_encrypted = zinfo.flag_bits & 0x1
14371449
zd = None

Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises
2+
BadZipFile when try to read an entry that overlaps with other entry or
3+
central directory.

0 commit comments

Comments
 (0)