From 5d00281e6325e97ca925534ae60d517f5b9f5594 Mon Sep 17 00:00:00 2001 From: Robert O'Shea Date: Wed, 24 May 2023 12:23:22 +0100 Subject: [PATCH 1/4] gh104527: Add check to not recursively write zipfile --- Lib/zipfile/__init__.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py index 9fc1840ba1e534..cd41a18c5bcc00 100644 --- a/Lib/zipfile/__init__.py +++ b/Lib/zipfile/__init__.py @@ -1806,6 +1806,9 @@ def write(self, filename, arcname=None, compress_type=None, compresslevel=None): """Put the bytes from filename into the archive under the name arcname.""" + if os.path.abspath(filename) == os.path.abspath(self.filename): + raise ValueError(f"Attempt to write {filename} in {self.filename} recursively") + if not self.fp: raise ValueError( "Attempt to write to ZIP archive that was already closed") From f572318e3a4ccb4576e07e22cdedfb7c6c0a6a48 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Wed, 24 May 2023 11:42:55 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Library/2023-05-24-11-42-53.gh-issue-104527.KqXp3s.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Library/2023-05-24-11-42-53.gh-issue-104527.KqXp3s.rst diff --git a/Misc/NEWS.d/next/Library/2023-05-24-11-42-53.gh-issue-104527.KqXp3s.rst b/Misc/NEWS.d/next/Library/2023-05-24-11-42-53.gh-issue-104527.KqXp3s.rst new file mode 100644 index 00000000000000..f82d82b4957e61 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2023-05-24-11-42-53.gh-issue-104527.KqXp3s.rst @@ -0,0 +1 @@ +Added check when writing a ZipFile that the file to be written is not the archive itself From d53ce3856bf01e198d75689da6ff174e60aaac87 Mon Sep 17 00:00:00 2001 From: Robert O'Shea Date: Wed, 24 May 2023 13:27:07 +0100 Subject: [PATCH 3/4] gh104527: Fix failing tests when filename cannot be a path --- Lib/zipfile/__init__.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py index cd41a18c5bcc00..b6ffd71cec17e2 100644 --- a/Lib/zipfile/__init__.py +++ b/Lib/zipfile/__init__.py @@ -1806,9 +1806,6 @@ def write(self, filename, arcname=None, compress_type=None, compresslevel=None): """Put the bytes from filename into the archive under the name arcname.""" - if os.path.abspath(filename) == os.path.abspath(self.filename): - raise ValueError(f"Attempt to write {filename} in {self.filename} recursively") - if not self.fp: raise ValueError( "Attempt to write to ZIP archive that was already closed") @@ -1820,6 +1817,11 @@ def write(self, filename, arcname=None, zinfo = ZipInfo.from_file(filename, arcname, strict_timestamps=self._strict_timestamps) + if isinstance(self.filename, os.PathLike) or isinstance(self.filename, bytes) \ + or isinstance(self.filename, str): + if os.path.abspath(filename) == os.path.abspath(self.filename): + raise ValueError(f"Attempt to write {filename} in {self.filename} recursively") + if zinfo.is_dir(): zinfo.compress_size = 0 zinfo.CRC = 0 From 486b356f7e0a54b831eb7e8d8e4dbb4dd7923a2c Mon Sep 17 00:00:00 2001 From: Robert O'Shea Date: Tue, 11 Jul 2023 22:58:22 +0100 Subject: [PATCH 4/4] gh104527: Replace abspath with realpath --- Lib/zipfile/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py index b6ffd71cec17e2..23b4c9948531f7 100644 --- a/Lib/zipfile/__init__.py +++ b/Lib/zipfile/__init__.py @@ -1819,7 +1819,7 @@ def write(self, filename, arcname=None, if isinstance(self.filename, os.PathLike) or isinstance(self.filename, bytes) \ or isinstance(self.filename, str): - if os.path.abspath(filename) == os.path.abspath(self.filename): + if os.path.realpath(filename) == os.path.realpath(self.filename): raise ValueError(f"Attempt to write {filename} in {self.filename} recursively") if zinfo.is_dir():