from:"Jack Cushman"

[issue29739] zipfile raises wrong exception for some incorrect passwords

2017-06-18 Thread Jack Cushman


Jack Cushman added the comment:

Agreed that no one should be using zip encryption. :) I hit this issue working 
on an academic exercise. I'm fine with closing this. 

(I do think the exception types in zipfile set up a trap for the programmer 
here: Python throws a different exception type 1/256 of the time for the same 
error case, which is undocumented and hard to discover by trial and error. It's 
pretty unlikely that anyone would write a correct `try-except` block for zip 
decryption on their first few attempts, and someone who needs to catch bad 
passwords but not bad zip files will most likely ship broken code. But just 
catching RuntimeError and BadZipfile gets you pretty close, so I don't think 
it's a big deal.)

--
status: pending -> open

___
Python tracker 
<http://bugs.python.org/issue29739>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29739] zipfile raises wrong exception for some incorrect passwords

2017-03-06 Thread Jack Cushman


New submission from Jack Cushman:

This bug arises when attempting to unzip a password-protected zipfile using the 
wrong password.

Usually when zipfile extraction is attempted with an incorrect password, 
zipfile raise `RuntimeError("Bad password for file")`. But for a small subset 
of passwords (about .4% of possible passwords), it instead raises 
`BadZipfile("Bad CRC-32 for file")`.

Attached is a script that attempts to decrypt a zip file using every 3-letter 
uppercase password. (This assumes you have first created the zip file, by 
running something like: `echo "stuff" > /tmp/foo.txt; zip -e -P password 
/tmp/foo.zip /tmp/foo.txt`.)

The specific passwords that trigger the wrong exception will vary each time the 
zip file is created. On my system, for a particular zip file, the result is 
this output:


BadZipFile b'ACB'
BadZipFile b'AMJ'
BadZipFile b'ASL'
BadZipFile b'AZV'
BadZipFile b'BCI'
BadZipFile b'BMV'
BadZipFile b'BQG'
BadZipFile b'BRB'
BadZipFile b'BYH'
BadZipFile b'CHU'
BadZipFile b'CTV'
BadZipFile b'DEF'
BadZipFile b'DHJ'
BadZipFile b'DSR'
BadZipFile b'EWG'
BadZipFile b'GOK'
BadZipFile b'GUK'
BadZipFile b'HGL'
BadZipFile b'HPV'
BadZipFile b'IAC'
BadZipFile b'IGQ'
BadZipFile b'IHG'
BadZipFile b'ILB'
BadZipFile b'IRJ'
BadZipFile b'JDW'
BadZipFile b'JIT'
BadZipFile b'JMK'
BadZipFile b'JPD'
BadZipFile b'JWL'
BadZipFile b'JXS'
BadZipFile b'KAR'
BadZipFile b'KKH'
BadZipFile b'LNW'
BadZipFile b'MEL'
BadZipFile b'NDY'
BadZipFile b'NFJ'
BadZipFile b'NLU'
BadZipFile b'NQU'
BadZipFile b'OXC'
BadZipFile b'PHA'
BadZipFile b'PQY'
BadZipFile b'QCN'
BadZipFile b'QFT'
BadZipFile b'QMB'
BadZipFile b'QWZ'
BadZipFile b'QYS'
BadZipFile b'RBR'
BadZipFile b'SKU'
BadZipFile b'SLG'
BadZipFile b'STU'
BadZipFile b'SUP'
BadZipFile b'UCD'
BadZipFile b'UOA'
BadZipFile b'UQM'
BadZipFile b'VAO'
BadZipFile b'VEQ'
BadZipFile b'VJW'
BadZipFile b'VVH'
BadZipFile b'WDA'
BadZipFile b'XCR'
BadZipFile b'XIY'
BadZipFile b'XLG'
BadZipFile b'YJA'
BadZipFile b'YMA'
BadZipFile b'YRB'
BadZipFile b'ZHT'
BadZipFile b'ZVJ'
BadZipFile b'ZWR'
BadZipFile b'ZZT'
69 out of 17576 passwords raise BadZipFile


Versions:

I reproduced this in Python 2.7.10 and 3.6.0, using a zip file created on Mac 
OS 10.12.3 with this zip version: 


$ zip --version
Copyright (c) 1990-2008 Info-ZIP - Type 'zip "-L"' for software license.
This is Zip 3.0 (July 5th 2008), by Info-ZIP.
Compiled with gcc 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34) for Unix 
(Mac OS X) on Jul 30 2016.

--
components: Library (Lib)
files: fail.py
messages: 289132
nosy: jcushman
priority: normal
severity: normal
status: open
title: zipfile raises wrong exception for some incorrect passwords
type: behavior
versions: Python 2.7, Python 3.6
Added file: http://bugs.python.org/file46706/fail.py

___
Python tracker 
<http://bugs.python.org/issue29739>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29739] zipfile raises wrong exception for some incorrect passwords

2017-03-07 Thread Jack Cushman


Jack Cushman added the comment:

Ah, thanks! That makes sense. I see it's documented in "man unzip" as well:

"The correct password will always check out against the header, but there is a 
1-in-256 chance that an incorrect password will as well.  (This is a security 
feature of the PKWARE zipfile format; it helps prevent brute-force attacks  
that  might otherwise gain a large speed advantage by testing only the header.) 
 In the case that an incorrect password is given but it passes the header test 
anyway, either an incorrect CRC will be generated for  the  extracted  data  or 
 else  unzip  will  fail  during  the  extraction  because  the ``decrypted'' 
bytes do not constitute a valid compressed data stream."

Would it make sense to add a note to documentation for zipfile functions that 
take a password?

--

___
Python tracker 
<http://bugs.python.org/issue29739>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29739] zipfile raises wrong exception for some incorrect passwords

[issue29739] zipfile raises wrong exception for some incorrect passwords

[issue29739] zipfile raises wrong exception for some incorrect passwords

3 matches

Site Navigation

Mail list logo

Footer information