Hello community,
here is the log from the commit of package rubygem-rubyzip for
openSUSE:Leap:15.2 checked in at 2020-01-30 15:46:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/rubygem-rubyzip (Old)
and /work/SRC/openSUSE:Leap:15.2/.rubygem-rubyzip.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rubyzip"
Thu Jan 30 15:46:58 2020 rev:13 rq:767767 version:1.3.0
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/rubygem-rubyzip/rubygem-rubyzip.changes
2020-01-15 15:59:45.955809248 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.rubygem-rubyzip.new.26092/rubygem-rubyzip.changes
2020-01-30 15:46:59.305292044 +0100
@@ -1,0 +2,54 @@
+Wed Nov 13 10:46:58 UTC 2019 - Dan Čermák <dcer...@suse.com>
+
+- Update to version 1.3
+ This fixes CVE-2019-16892
+
+ Security
+
+ - Add `validate_entry_sizes` option so that callers can trust an entry's
reported size when using `extract`
[#403](https://github.com/rubyzip/rubyzip/pull/403)
+ - This option defaults to `false` for backward compatibility in this
release, but you are strongly encouraged to set it to `true`. It will default
to `true` in rubyzip 2.0.
+
+ New Feature
+
+ - Add `add_stored` method to simplify adding entries without compression
[#366](https://github.com/rubyzip/rubyzip/pull/366)
+
+ Tooling / Documentation
+
+ - Add more gem metadata links
[#402](https://github.com/rubyzip/rubyzip/pull/402)
+
+-------------------------------------------------------------------
+Tue Nov 12 19:41:31 UTC 2019 - Johannes Kastl <ka...@b1-systems.de>
+
+- used latest template for gem2rpm.yml
+- add license to gem2rpm.yml to correctly get BSD-2-Clause
+
+-------------------------------------------------------------------
+Tue Nov 12 14:29:07 UTC 2019 - Manuel Schnitzer <mschnit...@suse.com>
+
+- updated to version 1.2.4
+
+ * Do not rewrite zip files opened with `open_buffer` that have not changed
[#360](https://github.com/rubyzip/rubyzip/pull/360)
+
+ Tooling / Documentation
+
+ * Update `example_recursive.rb` in README
[#397](https://github.com/rubyzip/rubyzip/pull/397)
+ * Hold CI at `trusty` for now, automatically pick the latest ruby patch
version, use rbx-4 and hold jruby at 9.1
[#399](https://github.com/rubyzip/rubyzip/pull/399)
+
+-------------------------------------------------------------------
+Mon Jul 8 07:53:40 UTC 2019 - Manuel Schnitzer <mschnit...@suse.com>
+
+- updated to version 1.2.3
+
+ * Allow tilde in zip entry names
[#391](https://github.com/rubyzip/rubyzip/pull/391) (fixes regression in 1.2.2
from [#376](https://github.com/rubyzip/rubyzip/pull/376))
+ * Support frozen string literals in more files
[#390](https://github.com/rubyzip/rubyzip/pull/390)
+ * Require `pathname` explicitly
[#388](https://github.com/rubyzip/rubyzip/pull/388) (fixes regression in 1.2.2
from [#376](https://github.com/rubyzip/rubyzip/pull/376))
+
+ Tooling / Documentation:
+
+ * CI updates [#392](https://github.com/rubyzip/rubyzip/pull/392),
[#394](https://github.com/rubyzip/rubyzip/pull/394)
+ - Bump supported ruby versions and add 2.6
+ - JRuby failures are no longer ignored (reverts
[#375](https://github.com/rubyzip/rubyzip/pull/375) / part of
[#371](https://github.com/rubyzip/rubyzip/pull/371))
+ * Add changelog entry that was missing for last release
[#387](https://github.com/rubyzip/rubyzip/pull/387)
+ * Comment cleanup [#385](https://github.com/rubyzip/rubyzip/pull/385)
+
+-------------------------------------------------------------------
Old:
----
rubyzip-1.2.2.gem
New:
----
rubyzip-1.3.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rubyzip.spec ++++++
--- /var/tmp/diff_new_pack.EBvrtE/_old 2020-01-30 15:46:59.901292225 +0100
+++ /var/tmp/diff_new_pack.EBvrtE/_new 2020-01-30 15:46:59.909292227 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rubyzip
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,28 +16,26 @@
#
+%define mod_name rubyzip
+%define mod_full_name %{mod_name}-%{version}
#
# This file was generated with a gem2rpm.yml and not just plain gem2rpm.
# All sections marked as MANUAL, license headers, summaries and descriptions
# can be maintained in that file. Please consult this file before editing any
# of those fields
#
-
Name: rubygem-rubyzip
-Version: 1.2.2
+Version: 1.3.0
Release: 0
-%define mod_name rubyzip
-%define mod_full_name %{mod_name}-%{version}
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: %{ruby >= 1.9.2}
-BuildRequires: %{rubygem gem2rpm}
-BuildRequires: ruby-macros >= 5
-Url: http://github.com/rubyzip/rubyzip
-Source: https://rubygems.org/gems/%{mod_full_name}.gem
-Source1: gem2rpm.yml
Summary: rubyzip is a ruby module for reading and writing zip files
License: BSD-2-Clause
Group: Development/Languages/Ruby
+URL: https://github.com/rubyzip/rubyzip
+Source: https://rubygems.org/gems/%{mod_full_name}.gem
+Source1: gem2rpm.yml
+BuildRequires: %{ruby >= 1.9.2}
+BuildRequires: %{rubygem gem2rpm}
+BuildRequires: ruby-macros >= 5
%description
rubyzip is a ruby module for reading and writing zip files.
++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.EBvrtE/_old 2020-01-30 15:46:59.957292241 +0100
+++ /var/tmp/diff_new_pack.EBvrtE/_new 2020-01-30 15:46:59.957292241 +0100
@@ -7,9 +7,9 @@
#
# it can be multiline
# ## used by gem2rpm
-# :license: MIT or Ruby
+:license: BSD-2-Clause
# ## used by gem2rpm and gem_packages
-# :version_suffix: -x_y
+# :version_suffix: -1.3
# ## used by gem2rpm and gem_packages
# :disable_docs: true
# ## used by gem2rpm
@@ -21,9 +21,11 @@
# ## used by gem2rpm
# :patches:
# foo.patch: -p1
-# bar.patch:
+# bar.patch:
+# :post_patch:
+# if you need to fiddle with the source dir before rebuilding the gem
# ## used by gem2rpm
-:sources:
+# :sources:
# - foo.desktop
# - bar.desktop
# :gem_install_args: '....'
@@ -54,7 +56,7 @@
# :filelist: |-
# /usr/bin/gem2rpm-opensuse
# ## used by gem_packages
-# :custom:
+# :custom_pkgs:
# apache:
# :preamble: |-
# Requires: .....
@@ -67,4 +69,8 @@
# bar
# :post: |-
# /bin/echo foo
-#
+# :preamble: |-
+# %if 0%{?suse_version} && 0%{?suse_version} < 1330
+# %define rb_build_versions ruby24 ruby25
+# %define rb_default_ruby_abi ruby:2.4.0 ruby:2.5.0
+# %endif
++++++ rubyzip-1.2.2.gem -> rubyzip-1.3.0.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2018-08-31 18:20:18.000000000 +0200
+++ new/README.md 2019-09-25 21:38:00.000000000 +0200
@@ -1,4 +1,5 @@
# rubyzip
+
[](http://badge.fury.io/rb/rubyzip)
[](http://travis-ci.org/rubyzip/rubyzip)
[](https://codeclimate.com/github/rubyzip/rubyzip)
@@ -19,9 +20,10 @@
## Requirements
-* Ruby 1.9.2 or greater
+- Ruby 1.9.2 or greater
## Installation
+
Rubyzip is available on RubyGems:
```
@@ -59,7 +61,8 @@
```
### Zipping a directory recursively
-Copy from
[here](https://github.com/rubyzip/rubyzip/blob/05916bf89181e1955118fd3ea059f18acac28cc8/samples/example_recursive.rb
)
+
+Copy from
[here](https://github.com/rubyzip/rubyzip/blob/9d891f7353e66052283562d3e252fe380bb4b199/samples/example_recursive.rb)
```ruby
require 'zip'
@@ -83,7 +86,7 @@
# Zip the input directory.
def write
- entries = Dir.entries(@input_dir) - %w(. ..)
+ entries = Dir.entries(@input_dir) - %w[. ..]
::Zip::File.open(@output_file, ::Zip::File::CREATE) do |zipfile|
write_entries entries, '', zipfile
@@ -97,7 +100,6 @@
entries.each do |e|
zipfile_path = path == '' ? e : File.join(path, e)
disk_file_path = File.join(@input_dir, zipfile_path)
- puts "Deflating #{disk_file_path}"
if File.directory? disk_file_path
recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
@@ -109,14 +111,12 @@
def recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
zipfile.mkdir zipfile_path
- subdir = Dir.entries(disk_file_path) - %w(. ..)
+ subdir = Dir.entries(disk_file_path) - %w[. ..]
write_entries subdir, zipfile_path, zipfile
end
def put_into_archive(disk_file_path, zipfile, zipfile_path)
- zipfile.get_output_stream(zipfile_path) do |f|
- f.write(File.open(disk_file_path, 'rb').read)
- end
+ zipfile.add(zipfile_path, disk_file_path)
end
end
```
@@ -152,12 +152,15 @@
### Reading a Zip file
```ruby
+MAX_SIZE = 1024**2 # 1MiB (but of course you can increase this)
Zip::File.open('foo.zip') do |zip_file|
# Handle entries one by one
zip_file.each do |entry|
- # Extract to file/directory/symlink
puts "Extracting #{entry.name}"
- entry.extract(dest_file)
+ raise 'File too large when extracted' if entry.size > MAX_SIZE
+
+ # Extract to file or directory based on name in the archive
+ entry.extract
# Read into memory
content = entry.get_input_stream.read
@@ -165,6 +168,7 @@
# Find specific entry
entry = zip_file.glob('*.csv').first
+ raise 'File too large when extracted' if entry.size > MAX_SIZE
puts entry.get_input_stream.read
end
```
@@ -177,7 +181,6 @@
> If bit 3 (0x08) of the general-purpose flags field is set, then the CRC-32
> and file sizes are not known when the header is written. The fields in the
> local header are filled with zero, and the CRC-32 and size are appended in a
> 12-byte structure (optionally preceded by a 4-byte signature) immediately
> after the compressed data
-
If `::Zip::InputStream` finds such entry in the zip archive it will raise an
exception.
### Password Protection (Experimental)
@@ -220,7 +223,9 @@
## Configuration
-By default, rubyzip will not overwrite files if they already exist inside of
the extracted path. To change this behavior, you may specify a configuration
option like so:
+### Existing Files
+
+By default, rubyzip will not overwrite files if they already exist inside of
the extracted path. To change this behavior, you may specify a configuration
option like so:
```ruby
Zip.on_exists_proc = true
@@ -234,32 +239,82 @@
Zip.continue_on_exists_proc = true
```
+### Non-ASCII Names
+
If you want to store non-english names and want to open them on Windows(pre 7)
you need to set this option:
```ruby
Zip.unicode_names = true
```
+Sometimes file names inside zip contain non-ASCII characters. If you can
assume which encoding was used for such names and want to be able to find such
entries using `find_entry` then you can force assumed encoding like so:
+
+```ruby
+Zip.force_entry_names_encoding = 'UTF-8'
+```
+
+Allowed encoding names are the same as accepted by `String#force_encoding`
+
+### Date Validation
+
Some zip files might have an invalid date format, which will raise a warning.
You can hide this warning with the following setting:
```ruby
Zip.warn_invalid_date = false
```
+### Size Validation
+
+**This setting defaults to `false` in rubyzip 1.3 for backward compatibility,
but it will default to `true` in rubyzip 2.0.**
+
+If you set
+```
+Zip.validate_entry_sizes = true
+```
+then `rubyzip`'s `extract` method checks that an entry's reported uncompressed
size is not (significantly) smaller than its actual size. This is to help you
protect your application against [zip
bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry,
you should check that its size is in the range you expect. For example, if your
application supports processing up to 100 files at once, each up to 10MiB, your
zip extraction code might look like:
+
+```ruby
+MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
+MAX_FILES = 100
+Zip::File.open('foo.zip') do |zip_file|
+ num_files = 0
+ zip_file.each do |entry|
+ num_files += 1 if entry.file?
+ raise 'Too many extracted files' if num_files > MAX_FILES
+ raise 'File too large when extracted' if entry.size > MAX_FILE_SIZE
+ entry.extract
+ end
+end
+```
+
+If you need to extract zip files that report incorrect uncompressed sizes and
you really trust them not too be too large, you can disable this setting with
+```ruby
+Zip.validate_entry_sizes = false
+```
+
+Note that if you use the lower level `Zip::InputStream` interface, `rubyzip`
does *not* check the entry `size`s. In this case, the caller is responsible for
making sure it does not read more data than expected from the input stream.
+
+### Default Compression
+
You can set the default compression level like so:
```ruby
Zip.default_compression = Zlib::DEFAULT_COMPRESSION
```
+
It defaults to `Zlib::DEFAULT_COMPRESSION`. Possible values are
`Zlib::BEST_COMPRESSION`, `Zlib::DEFAULT_COMPRESSION` and `Zlib::NO_COMPRESSION`
-Sometimes file names inside zip contain non-ASCII characters. If you can
assume which encoding was used for such names and want to be able to find such
entries using `find_entry` then you can force assumed encoding like so:
+### Zip64 Support
+
+By default, Zip64 support is disabled for writing. To enable it do this:
```ruby
-Zip.force_entry_names_encoding = 'UTF-8'
+Zip.write_zip64_support = true
```
-Allowed encoding names are the same as accepted by `String#force_encoding`
+_NOTE_: If you will enable Zip64 writing then you will need zip extractor with
Zip64 support to extract archive.
+
+### Block Form
You can set multiple settings at the same time by using a block:
@@ -272,14 +327,6 @@
end
```
-By default, Zip64 support is disabled for writing. To enable it do this:
-
-```ruby
-Zip.write_zip64_support = true
-```
-
-_NOTE_: If you will enable Zip64 writing then you will need zip extractor with
Zip64 support to extract archive.
-
## Developing
To run the test you need to do this:
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip/entry.rb new/lib/zip/entry.rb
--- old/lib/zip/entry.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip/entry.rb 2019-09-25 21:38:00.000000000 +0200
@@ -1,3 +1,4 @@
+require 'pathname'
module Zip
class Entry
STORED = 0
@@ -117,7 +118,7 @@
return false unless cleanpath.relative?
root = ::File::SEPARATOR
naive_expanded_path = ::File.join(root, cleanpath.to_s)
- cleanpath.expand_path(root).to_s == naive_expanded_path
+ ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
end
def local_entry_offset #:nodoc:all
@@ -275,10 +276,10 @@
zip64 = @extra['Zip64']
[::Zip::LOCAL_ENTRY_SIGNATURE,
@version_needed_to_extract, # version needed to extract
- @gp_flags, # @gp_flags ,
+ @gp_flags, # @gp_flags
@compression_method,
- @time.to_binary_dos_time, # @last_mod_time ,
- @time.to_binary_dos_date, # @last_mod_date ,
+ @time.to_binary_dos_time, # @last_mod_time
+ @time.to_binary_dos_date, # @last_mod_date
@crc,
zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
@@ -432,11 +433,11 @@
@header_signature,
@version, # version of encoding software
@fstype, # filesystem type
- @version_needed_to_extract, # @versionNeededToExtract ,
- @gp_flags, # @gp_flags ,
+ @version_needed_to_extract, # @versionNeededToExtract
+ @gp_flags, # @gp_flags
@compression_method,
- @time.to_binary_dos_time, # @last_mod_time ,
- @time.to_binary_dos_date, # @last_mod_date ,
+ @time.to_binary_dos_time, # @last_mod_time
+ @time.to_binary_dos_date, # @last_mod_date
@crc,
zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
@@ -602,9 +603,21 @@
get_input_stream do |is|
set_extra_attributes_on_path(dest_path)
- buf = ''
+ bytes_written = 0
+ warned = false
+ buf = ''.dup
while (buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf))
os << buf
+ bytes_written += buf.bytesize
+ if bytes_written > size && !warned
+ message = "Entry #{name} should be #{size}B but is larger when
inflated"
+ if ::Zip.validate_entry_sizes
+ raise ::Zip::EntrySizeError, message
+ else
+ puts "WARNING: #{message}"
+ warned = true
+ end
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip/errors.rb new/lib/zip/errors.rb
--- old/lib/zip/errors.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip/errors.rb 2019-09-25 21:38:00.000000000 +0200
@@ -4,6 +4,7 @@
class DestinationFileExistsError < Error; end
class CompressionMethodError < Error; end
class EntryNameError < Error; end
+ class EntrySizeError < Error; end
class InternalError < Error; end
class GPFBit3Error < Error; end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip/extra_field.rb new/lib/zip/extra_field.rb
--- old/lib/zip/extra_field.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip/extra_field.rb 2019-09-25 21:38:00.000000000 +0200
@@ -26,7 +26,7 @@
end
def create_unknown_item
- s = ''
+ s = ''.dup
class << s
alias_method :to_c_dir_bin, :to_s
alias_method :to_local_bin, :to_s
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip/file.rb new/lib/zip/file.rb
--- old/lib/zip/file.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip/file.rb 2019-09-25 21:38:00.000000000 +0200
@@ -64,24 +64,38 @@
# Opens a zip archive. Pass true as the second parameter to create
# a new archive if it doesn't exist already.
- def initialize(file_name, create = false, buffer = false, options = {})
+ def initialize(path_or_io, create = false, buffer = false, options = {})
super()
- @name = file_name
+ @name = path_or_io.respond_to?(:path) ? path_or_io.path : path_or_io
@comment = ''
@create = create ? true : false # allow any truthy value to mean true
- if !buffer && ::File.size?(file_name)
+
+ if ::File.size?(@name.to_s)
+ # There is a file, which exists, that is associated with this zip.
@create = false
- @file_permissions = ::File.stat(file_name).mode
- ::File.open(name, 'rb') do |f|
- read_from_stream(f)
+ @file_permissions = ::File.stat(@name).mode
+
+ if buffer
+ read_from_stream(path_or_io)
+ else
+ ::File.open(@name, 'rb') do |f|
+ read_from_stream(f)
+ end
end
+ elsif buffer && path_or_io.size > 0
+ # This zip is probably a non-empty StringIO.
+ read_from_stream(path_or_io)
elsif @create
+ # This zip is completely new/empty and is to be created.
@entry_set = EntrySet.new
- elsif ::File.zero?(file_name)
- raise Error, "File #{file_name} has zero size. Did you mean to pass
the create flag?"
+ elsif ::File.zero?(@name)
+ # A file exists, but it is empty.
+ raise Error, "File #{@name} has zero size. Did you mean to pass the
create flag?"
else
- raise Error, "File #{file_name} not found"
+ # Everything is wrong.
+ raise Error, "File #{@name} not found"
end
+
@stored_entries = @entry_set.dup
@stored_comment = @comment
@restore_ownership = options[:restore_ownership] || false
@@ -119,17 +133,16 @@
unless IO_METHODS.map { |method| io.respond_to?(method) }.all? ||
io.is_a?(String)
raise "Zip::File.open_buffer expects a String or IO-like argument
(responds to #{IO_METHODS.join(', ')}). Found: #{io.class}"
end
- if io.is_a?(::String)
- require 'stringio'
- io = ::StringIO.new(io)
- elsif io.respond_to?(:binmode)
- # https://github.com/rubyzip/rubyzip/issues/119
- io.binmode
- end
+
+ io = ::StringIO.new(io) if io.is_a?(::String)
+
+ # https://github.com/rubyzip/rubyzip/issues/119
+ io.binmode if io.respond_to?(:binmode)
+
zf = ::Zip::File.new(io, true, true, options)
- zf.read_from_stream(io)
return zf unless block_given?
yield zf
+
begin
zf.write_buffer(io)
rescue IOError => e
@@ -274,6 +287,13 @@
@entry_set << new_entry
end
+ # Convenience method for adding the contents of a file to the archive
+ # in Stored format (uncompressed)
+ def add_stored(entry, src_path, &continue_on_exists_proc)
+ entry = ::Zip::Entry.new(@name, entry.to_s, nil, nil, nil, nil,
::Zip::Entry::STORED)
+ add(entry, src_path, &continue_on_exists_proc)
+ end
+
# Removes the specified entry.
def remove(entry)
@entry_set.delete(get_entry(entry))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip/inflater.rb new/lib/zip/inflater.rb
--- old/lib/zip/inflater.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip/inflater.rb 2019-09-25 21:38:00.000000000 +0200
@@ -3,7 +3,7 @@
def initialize(input_stream, decrypter = NullDecrypter.new)
super(input_stream)
@zlib_inflater = ::Zlib::Inflate.new(-Zlib::MAX_WBITS)
- @output_buffer = ''
+ @output_buffer = ''.dup
@has_returned_empty_string = false
@decrypter = decrypter
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip/version.rb new/lib/zip/version.rb
--- old/lib/zip/version.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip/version.rb 2019-09-25 21:38:00.000000000 +0200
@@ -1,3 +1,3 @@
module Zip
- VERSION = '1.2.2'
+ VERSION = '1.3.0'
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/zip.rb new/lib/zip.rb
--- old/lib/zip.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/lib/zip.rb 2019-09-25 21:38:00.000000000 +0200
@@ -42,7 +42,8 @@
:write_zip64_support,
:warn_invalid_date,
:case_insensitive_match,
- :force_entry_names_encoding
+ :force_entry_names_encoding,
+ :validate_entry_sizes
def reset!
@_ran_once = false
@@ -54,6 +55,7 @@
@write_zip64_support = false
@warn_invalid_date = true
@case_insensitive_match = false
+ @validate_entry_sizes = false
end
def setup
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2018-08-31 18:20:18.000000000 +0200
+++ new/metadata 2019-09-25 21:38:00.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rubyzip
version: !ruby/object:Gem::Version
- version: 1.2.2
+ version: 1.3.0
platform: ruby
authors:
- Alexander Simonov
autorequire:
bindir: bin
cert_chain: []
-date: 2018-08-31 00:00:00.000000000 Z
+date: 2019-09-25 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: rake
@@ -164,6 +164,7 @@
- test/data/path_traversal/jwilk/relative2.zip
- test/data/path_traversal/jwilk/symlink.zip
- test/data/path_traversal/relative1.zip
+- test/data/path_traversal/tilde.zip
- test/data/path_traversal/tuzovakaoff/README.md
- test/data/path_traversal/tuzovakaoff/absolutepath.zip
- test/data/path_traversal/tuzovakaoff/symlink.zip
@@ -210,7 +211,12 @@
homepage: http://github.com/rubyzip/rubyzip
licenses:
- BSD 2-Clause
-metadata: {}
+metadata:
+ bug_tracker_uri: https://github.com/rubyzip/rubyzip/issues
+ changelog_uri: https://github.com/rubyzip/rubyzip/blob/v1.3.0/Changelog.md
+ documentation_uri: https://www.rubydoc.info/gems/rubyzip/1.3.0
+ source_code_uri: https://github.com/rubyzip/rubyzip/tree/v1.3.0
+ wiki_uri: https://github.com/rubyzip/rubyzip/wiki
post_install_message:
rdoc_options: []
require_paths:
@@ -226,8 +232,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3
signing_key:
specification_version: 4
summary: rubyzip is a ruby module for reading and writing zip files
@@ -280,6 +285,7 @@
- test/data/rubycode2.zip
- test/data/mimetype
- test/data/zipWithEncryption.zip
+- test/data/path_traversal/tilde.zip
- test/data/path_traversal/Makefile
- test/data/path_traversal/relative1.zip
- test/data/path_traversal/jwilk/dirsymlink.zip
Binary files old/test/data/path_traversal/tilde.zip and
new/test/data/path_traversal/tilde.zip differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/file_extract_test.rb
new/test/file_extract_test.rb
--- old/test/file_extract_test.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/test/file_extract_test.rb 2019-09-25 21:38:00.000000000 +0200
@@ -10,6 +10,10 @@
::File.delete(EXTRACTED_FILENAME) if ::File.exist?(EXTRACTED_FILENAME)
end
+ def teardown
+ ::Zip.reset!
+ end
+
def test_extract
::Zip::File.open(TEST_ZIP.zip_name) do |zf|
zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
@@ -80,4 +84,62 @@
end
assert(!File.exist?(outFile))
end
+
+ def test_extract_incorrect_size
+ # The uncompressed size fields in the zip file cannot be trusted. This
makes
+ # it harder for callers to validate the sizes of the files they are
+ # extracting, which can lead to denial of service. See also
+ # https://en.wikipedia.org/wiki/Zip_bomb
+ Dir.mktmpdir do |tmp|
+ real_zip = File.join(tmp, 'real.zip')
+ fake_zip = File.join(tmp, 'fake.zip')
+ file_name = 'a'
+ true_size = 500_000
+ fake_size = 1
+
+ ::Zip::File.open(real_zip, ::Zip::File::CREATE) do |zf|
+ zf.get_output_stream(file_name) do |os|
+ os.write 'a' * true_size
+ end
+ end
+
+ compressed_size = nil
+ ::Zip::File.open(real_zip) do |zf|
+ a_entry = zf.find_entry(file_name)
+ compressed_size = a_entry.compressed_size
+ assert_equal true_size, a_entry.size
+ end
+
+ true_size_bytes = [compressed_size, true_size,
file_name.size].pack('LLS')
+ fake_size_bytes = [compressed_size, fake_size,
file_name.size].pack('LLS')
+
+ data = File.binread(real_zip)
+ assert data.include?(true_size_bytes)
+ data.gsub! true_size_bytes, fake_size_bytes
+
+ File.open(fake_zip, 'wb') do |file|
+ file.write data
+ end
+
+ Dir.chdir tmp do
+ ::Zip::File.open(fake_zip) do |zf|
+ a_entry = zf.find_entry(file_name)
+ assert_equal fake_size, a_entry.size
+
+ ::Zip.validate_entry_sizes = false
+ a_entry.extract
+ assert_equal true_size, File.size(file_name)
+ FileUtils.rm file_name
+
+ ::Zip.validate_entry_sizes = true
+ error = assert_raises ::Zip::EntrySizeError do
+ a_entry.extract
+ end
+ assert_equal \
+ 'Entry a should be 1B but is larger when inflated',
+ error.message
+ end
+ end
+ end
+ end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/file_test.rb new/test/file_test.rb
--- old/test/file_test.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/test/file_test.rb 2019-09-25 21:38:00.000000000 +0200
@@ -103,6 +103,13 @@
end
end
+ def test_open_buffer_with_string
+ string = File.read('test/data/rubycode.zip')
+ ::Zip::File.open_buffer string do |zf|
+ assert zf.entries.map { |e| e.name }.include?('zippedruby1.rb')
+ end
+ end
+
def test_open_buffer_with_stringio
string_io = StringIO.new File.read('test/data/rubycode.zip')
::Zip::File.open_buffer string_io do |zf|
@@ -113,14 +120,52 @@
def test_close_buffer_with_stringio
string_io = StringIO.new File.read('test/data/rubycode.zip')
zf = ::Zip::File.open_buffer string_io
- assert(zf.close || true) # Poor man's refute_raises
+ assert_nil zf.close
+ end
+
+ def test_open_buffer_no_op_does_not_change_file
+ Dir.mktmpdir do |tmp|
+ test_zip = File.join(tmp, 'test.zip')
+ FileUtils.cp 'test/data/rubycode.zip', test_zip
+
+ # Note: this may change the file if it is opened with r+b instead of rb.
+ # The 'extra fields' in this particular zip file get reordered.
+ File.open(test_zip, 'rb') do |file|
+ Zip::File.open_buffer(file) do |zf|
+ nil # do nothing
+ end
+ end
+
+ assert_equal \
+ File.binread('test/data/rubycode.zip'),
+ File.binread(test_zip)
+ end
+ end
+
+ def test_open_buffer_close_does_not_change_file
+ Dir.mktmpdir do |tmp|
+ test_zip = File.join(tmp, 'test.zip')
+ FileUtils.cp 'test/data/rubycode.zip', test_zip
+
+ File.open(test_zip, 'rb') do |file|
+ zf = Zip::File.open_buffer(file)
+ refute zf.commit_required?
+ assert_nil zf.close
+ end
+
+ assert_equal \
+ File.binread('test/data/rubycode.zip'),
+ File.binread(test_zip)
+ end
end
- def test_close_buffer_with_io
- f = File.open('test/data/rubycode.zip')
- zf = ::Zip::File.open_buffer f
- assert zf.close
- f.close
+ def test_open_buffer_with_io_and_block
+ File.open('test/data/rubycode.zip') do |io|
+ io.set_encoding(Encoding::BINARY) # not strictly required but can be set
+ Zip::File.open_buffer(io) do |zip_io|
+ # left empty on purpose
+ end
+ end
end
def test_open_buffer_without_block
@@ -158,6 +203,26 @@
AssertEntry.assert_contents(srcFile,
zfRead.get_input_stream(entryName) { |zis|
zis.read })
end
+
+ def test_add_stored
+ srcFile = 'test/data/file2.txt'
+ entryName = 'newEntryName.rb'
+ assert(::File.exist?(srcFile))
+ zf = ::Zip::File.new(EMPTY_FILENAME, ::Zip::File::CREATE)
+ zf.add_stored(entryName, srcFile)
+ zf.close
+
+ zfRead = ::Zip::File.new(EMPTY_FILENAME)
+ entry = zfRead.entries.first
+ assert_equal('', zfRead.comment)
+ assert_equal(1, zfRead.entries.length)
+ assert_equal(entryName, entry.name)
+ assert_equal(File.size(srcFile), entry.size)
+ assert_equal(entry.size, entry.compressed_size)
+ assert_equal(::Zip::Entry::STORED, entry.compression_method)
+ AssertEntry.assert_contents(srcFile,
+ zfRead.get_input_stream(entryName) { |zis|
zis.read })
+ end
def test_recover_permissions_after_add_files_to_archive
srcZip = TEST_ZIP.zip_name
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/path_traversal_test.rb
new/test/path_traversal_test.rb
--- old/test/path_traversal_test.rb 2018-08-31 18:20:18.000000000 +0200
+++ new/test/path_traversal_test.rb 2019-09-25 21:38:00.000000000 +0200
@@ -131,4 +131,11 @@
refute File.exist?('/tmp/file.txt')
end
end
+
+ def test_entry_name_with_tilde
+ in_tmpdir do
+ extract_path_traversal_zip 'tilde.zip'
+ assert File.exist?('~tilde~')
+ end
+ end
end
