Skip to content

Commit

Permalink
[CVE-2024-0450] Protect zipfile from "quoted-overlap" zipbomb
Browse files Browse the repository at this point in the history 
Raise BadZipFile when try to read an entry that overlaps with
other entry or central directory.
(cherry picked from commit 66363b9)

From-PR: gh#python/cpython!110016
Fixes: gh#python#109858
Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
  • Loading branch information
@serhiy-storchaka @mcepl
serhiy-storchaka authored and mcepl committed May 16, 2024
1 parent 9ec41b7 commit d8877aa
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 0 deletions.
61 changes: 61 additions & 0 deletions Lib/test/test_zipfile.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

from tempfile import TemporaryFile
from random import randint, random, getrandbits
from unittest import mock

from test.support import script_helper
from test.support import (TESTFN, findfile, unlink, rmtree, temp_dir, temp_cwd,
Expand Down Expand Up @@ -1610,6 +1611,66 @@ def test_open_conflicting_handles(self):
self.assertEqual(zipf.read('baz'), msg3)
self.assertEqual(zipf.namelist(), ['foo', 'bar', 'baz'])

@requires_zlib
def test_full_overlap(self):
data = (
b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00a\xed'
b'\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\d\x0b`P'
b'K\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2'
b'\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00aPK'
b'\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bPK\x05'
b'\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00\x00/\x00\x00'
b'\x00\x00\x00'
)
with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
self.assertEqual(zipf.namelist(), ['a', 'b'])
zi = zipf.getinfo('a')
self.assertEqual(zi.header_offset, 0)
self.assertEqual(zi.compress_size, 16)
self.assertEqual(zi.file_size, 1033)
zi = zipf.getinfo('b')
self.assertEqual(zi.header_offset, 0)
self.assertEqual(zi.compress_size, 16)
self.assertEqual(zi.file_size, 1033)
self.assertEqual(len(zipf.read('a')), 1033)
with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'):
zipf.read('b')

@requires_zlib
def test_quoted_overlap(self):
data = (
b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc'
b'8\x044\x00\x00\x00(\x04\x00\x00\x01\x00\x00\x00a\x00'
b'\x1f\x00\xe0\xffPK\x03\x04\x14\x00\x00\x00\x08\x00\xa0l'
b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
b'\x00\x00b\xed\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\'
b'd\x0b`PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0'
b'lH\x05Y\xfc8\x044\x00\x00\x00(\x04\x00\x00\x01'
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00aPK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0l'
b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x00\x00'
b'bPK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00'
b'\x00S\x00\x00\x00\x00\x00'
)
with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
self.assertEqual(zipf.namelist(), ['a', 'b'])
zi = zipf.getinfo('a')
self.assertEqual(zi.header_offset, 0)
self.assertEqual(zi.compress_size, 52)
self.assertEqual(zi.file_size, 1064)
zi = zipf.getinfo('b')
self.assertEqual(zi.header_offset, 36)
self.assertEqual(zi.compress_size, 16)
self.assertEqual(zi.file_size, 1033)
with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'):
zipf.read('a')
self.assertEqual(len(zipf.read('b')), 1033)

def tearDown(self):
unlink(TESTFN)
unlink(TESTFN2)
Expand Down
12 changes: 12 additions & 0 deletions Lib/zipfile.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,7 @@ class ZipInfo (object):
'compress_size',
'file_size',
'_raw_time',
'_end_offset',
)

def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):
Expand Down Expand Up @@ -376,6 +377,7 @@ def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):
self.volume = 0 # Volume number of file header
self.internal_attr = 0 # Internal attributes
self.external_attr = 0 # External file attributes
self._end_offset = None # Start of the next local header or central directory
# Other attributes are set by class ZipFile:
# header_offset Byte offset to the file header
# CRC CRC-32 of the uncompressed file
Expand Down Expand Up @@ -1278,6 +1280,12 @@ def _RealGetContents(self):
if self.debug > 2:
print("total", total)

end_offset = self.start_dir
for zinfo in sorted(self.filelist,
key=lambda zinfo: zinfo.header_offset,
reverse=True):
zinfo._end_offset = end_offset
end_offset = zinfo.header_offset

def namelist(self):
"""Return a list of file names in the archive."""
Expand Down Expand Up @@ -1432,6 +1440,10 @@ def open(self, name, mode="r", pwd=None, *, force_zip64=False):
'File name in directory %r and header %r differ.'
% (zinfo.orig_filename, fname))

if (zinfo._end_offset is not None and
zef_file.tell() + zinfo.compress_size > zinfo._end_offset):
raise BadZipFile(f"Overlapped entries: {zinfo.orig_filename!r} (possible zip bomb)")

# check for encrypted flag & handle password
is_encrypted = zinfo.flag_bits & 0x1
zd = None
Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises
BadZipFile when try to read an entry that overlaps with other entry or
central directory.

0 comments on commit d8877aa

Please sign in to comment.