Skip Menu |
 

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 14129
Status: open
Priority: 0/
Queue: Archive-Zip

People
Owner: Nobody in particular
Requestors: ak2 [...] smr.ru
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

Attachments


Subject: Non-root can't do extractTree for archs containing dirs w/o own-writable perm.
Download (untitled) / with headers
text/plain 1.5k
Hello, The problem is that if an arch contains dirs with permissions not allowing an owner to write, then this arch tree can't be extracted by non-root. As an example of such an arch the attached test.zip can be used. It contains dir test_dir and file test_dir/test_file: #ls -lR . .: total 4 dr-xr-xr-x 2 nobody nobody 4096 Aug 11 13:19 test_dir ./test_dir: total 4 -r--r--r-- 1 nobody nobody 9 Aug 11 13:30 test_file Try to extractTree the arch into /tmp/ as nobody(assuming you're root): su nobody -c 'perl -MArchive::Zip -e'\'' $z=Archive::Zip->new(); $z->read($ARGV[0]); $z->extractTree("", "/tmp/")'\'' test.zip' -s /bin/sh It fails: IO error: Can't open file /tmp/test_dir/test_file for write : Permission denied at /usr/lib/perl5/site_perl/5.8.6/Archive/Zip.pm line 1791 Archive::Zip::Member::extractToFileNamed('Archive::Zip::ZipFileMember=HASH(0x8c14e0c)', '/tmp/test_dir/test_file') called at /usr/lib/perl5/site_perl/5.8.6/Archive/Zip.pm line 1179 Archive::Zip::Archive::extractTree('Archive::Zip::Archive=HASH(0x8bf9d4c)', '', '/tmp/') called at -e line 1 Yet it could be done with unzip: su nobody -c 'unzip -d /tmp test.zip' -s /bin/sh Archive: test.zip creating: /tmp/test_dir/ extracting: /tmp/test_dir/test_file I suggest to make all arch items own-writable while extracting an arch tree (in extractToFileNamed called from extractTree) and then set properly all permissions after extraction (in extractTree) Suggested patch will be attached to the next post. After this patch has been applied, the test.zip attached is extracted perfectly. Best regards Alexey Kravchuk
Download test.zip
application/x-zip-compressed 305b

Message body not shown because it is not plain text.

Here is a patch Best regards Alexey Kravchuk
diff -ru Archive-Zip-1.16.orig/lib/Archive/Zip.pm Archive-Zip-1.16/lib/Archive/Zip.pm --- Archive-Zip-1.16.orig/lib/Archive/Zip.pm 2005-07-04 21:46:49.000000000 +0400 +++ Archive-Zip-1.16/lib/Archive/Zip.pm 2005-08-11 16:36:51.325178541 +0400 @@ -1187,9 +1187,28 @@ $fileName =~ s{$pattern}{$dest}; # in Unix format # convert to platform format: $fileName = Archive::Zip::_asLocalName( $fileName, $volume ); + $member->{ownWritable} = 1; my $status = $member->extractToFileNamed($fileName); + delete $member->{ownWritable}; return $status if $status != AZ_OK; } + + + # Dirs were made own-writable when they were extracted + # to allow further extraction in the dirs by non-root users. + # Here all dir/file modes should be set properly. + foreach my $member ( @members ) { + + my $fileName = $member->fileName(); # in Unix format + $fileName =~ s{$pattern}{$dest}; # in Unix format + # convert to platform format: + $fileName = Archive::Zip::_asLocalName( $fileName, $volume ); + + chmod $member->unixFileAttributes() & 07777, $fileName or warn "Can't chmod() $fileName: $!"; + + utime( $member->lastModTime(), $member->lastModTime(), $fileName ); + } + return AZ_OK; } @@ -2431,6 +2450,14 @@ my $self = shift; my $name = shift; # local FS name my $attribs = $self->unixFileAttributes() & 07777; + + # Dirs should be made own-writable while extracting from an arch. + # It is necessary to further extract items into the dir, + # if this is made by non-root user. + # Later, when the whole extraction is complete, all file/dir modes + # should be set properly. + $attribs |= 0700 if $self->{ownWritable}; + mkpath( $name, 0, $attribs ); # croaks on error utime( $self->lastModTime(), $self->lastModTime(), $name ); return AZ_OK;
From: rob [...] robredpath.co.uk
Download (untitled) / with headers
text/plain 443b
Hi, Is there any chance we could get this (or another solution to the same issue) rolled into a forthcoming release? We're hitting what appears to be this issue in a live deployment. My apologies if it's unrelated, but I couldn't see anything in the changelog that suggested this patch had been applied or issue resolved. Thanks :) Rob On Fri Aug 12 04:42:16 2005, guest wrote: Show quoted text
> Here is a patch > > Best regards > Alexey Kravchuk


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.