New submission from Cristi Fati <cristifa...@gmail.com>:
PKWARE encryption password pre check algorithm (relying on an 8 bits value to differentiate passwords) is insanely short. Most of the wrong passwords are filtered out by the check, but some of them aren't. For the ones in the latter category, when trying to extract an archive member, a 0 lengthed file with its name will be created on the FS (overwriting any previous version). Usecase: 1. Extract an archive member using the good password. File extracted 2. Extract the same member using a wrong password: 2.1 For most of the passwords, they will be detected and the operation cancelled 2.2 But some of them, they won't be detected (false positives), but the decryption itself will fail overwriting the file (from #1.) on FS but leaving it with 0 bytes content This is the about #2.2. More details on [[SO]: zipfile.BadZipFile: Bad CRC-32 when extracting a password protected .zip & .zip goes corrupt on extract (@CristiFati's answer)](https://stackoverflow.com/questions/54532010/zipfile-badzipfile-bad-crc-32-when-extracting-a-password-protected-zip-zip/55063500#55063500). ---------- components: Library (Lib) messages: 337543 nosy: CristiFati priority: normal severity: normal status: open title: zipfile - extract truncates (existing) file when bad password provided (zip encryption weakness) type: behavior versions: Python 3.6 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36247> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com