[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Massimo Sala added the comment: I choosed to use the internal variable *concat* because - if I recollect correctly, it is calculated before successive routines; - I didn't see your solution (!), there is a very nice computed variable in front of my eyes. Mmh 1) Reliability Cannot be sure this

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Massimo Sala added the comment: Sorry I forgot to mention one specific case. We have valid archives with a starting "blob": digitally signed zip files, their filename extension is ".zip.p7m". I agree your tip can be useful to other readers. Best regards, Sala On Sat, 18 Apr 2020 at 15:45, Ser

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Daniel Hillier added the comment: Hi Massimo, Unless I'm missing something about your requirements, the advantage is that it already works in python 2.7 so there is no need to patch Python. Just bundle the above function with your analysis tool and you're good to go. Cheers, Dan On Sat, Apr

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Serhiy Storchaka added the comment: Just check the first 4 bytes of the file. In "normal" ZIP archive they are b'PK\3\4' (or b'PK\5\6' if it is empty). It is so reliable as checking the offset, and more efficient. It is even more reliable, because a malware can have zero ZIP archive offset,

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Massimo Sala added the comment: Hi Daniel Could you please elaborate the advantages of your loop versus my two lines of code? I don't grasp... Thanks, Massimo On Sat, 18 Apr 2020 at 03:26, Daniel Hillier wrote: > > Daniel Hillier added the comment: > > Could something similar be achieved

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Massimo Sala added the comment: Hi Serhiy Thanks for the suggestion but I don't need to analyse different self-extraction payloads (and I think it is always unreliable, there are too many self-extractors in the wild). I spend two words about my work. I analyze ZIP archives because they are t

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Massimo Sala added the comment: On Sat, 18 Apr 2020 at 04:37, Steven D'Aprano wrote: If we made an exception for you, then people using Python 2.7 still couldn't use this feature: `myzipfile.offset` would fail on code using Python 2.7, 2.7.1, 2.7.2, 2.7.3, ... 2.7.17 and only work with

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Serhiy Storchaka added the comment: I am not sure it would help you. There are legitimate files which contain a payload followed by the ZIP archive (self-extracting archives, programs with embedded ZIP archives). And the malware can make the offset of the ZIP archive be zero. If you want to

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Steven D'Aprano added the comment: Sorry Massimo, there are no new features being added to 2.7, not even critical security fixes. That's not my decision. https://www.python.org/doc/sunset-python-2/ Python 2 is effectively now a dead project from the point of view of us here at CPython. The

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Daniel Hillier added the comment: Could something similar be achieved by looking for the earliest file header offset? def find_earliest_header_offset(zf): earliest_offset = None for zinfo in zf.infolist(): if earliest_offset is None: earliest_offset = zinfo.header_

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Massimo Sala added the comment: Hi Steven Every software "ecosystem" has its guidelines and I am a newbie about python development. Mmh I see your concerns. I agree about your deletions of all py 3 versions before the latest 3.9. About Py 2, I remark these facts: - there are a lot of forensi

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Change by Zachary Ware : -- nosy: +alanmcintyre, serhiy.storchaka, twouters ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Steven D'Aprano added the comment: This is a new feature and cannot be added to older versions which are in feature-freeze. Adding the feature to (say) Python 2.7.18 would be inconsistent, because it wouldn't exist in 2.7.0 through .17. Likewise for all the other versions before 3.9. Perso

[issue40301] zipfile module: new feature (two lines of code), useful for test, security and forensics

Change by Massimo Sala : -- title: zipfile module: new feature (two lines of code) -> zipfile module: new feature (two lines of code), useful for test, security and forensics ___ Python tracker _

[issue40301] zipfile module: new feature (two lines of code)

New submission from Massimo Sala : module zipfile Tag "Components": I am not sure "Library (Lib)" is the correct one. If it isn't, please fix. I use python to check zip files against malware. In these files the are binary blobs outside the ZIP archive. The malware payload isn't inside the ZIP