Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics

Nobody in particular
ak2 [...]

Broken in:
(no value)
Fixed in:
(no value)

Subject: Non-root can't do extractTree for archs containing dirs w/o own-writable perm.
Hello, The problem is that if an arch contains dirs with permissions not allowing an owner to write, then this arch tree can't be extracted by non-root. As an example of such an arch the attached can be used. It contains dir test_dir and file test_dir/test_file: #ls -lR . .: total 4 dr-xr-xr-x 2 nobody nobody 4096 Aug 11 13:19 test_dir ./test_dir: total 4 -r--r--r-- 1 nobody nobody 9 Aug 11 13:30 test_file Try to extractTree the arch into /tmp/ as nobody(assuming you're root): su nobody -c 'perl -MArchive::Zip -e'\'' $z=Archive::Zip->new(); $z->read($ARGV[0]); $z->extractTree("", "/tmp/")'\''' -s /bin/sh It fails: IO error: Can't open file /tmp/test_dir/test_file for write : Permission denied at /usr/lib/perl5/site_perl/5.8.6/Archive/ line 1791 Archive::Zip::Member::extractToFileNamed('Archive::Zip::ZipFileMember=HASH(0x8c14e0c)', '/tmp/test_dir/test_file') called at /usr/lib/perl5/site_perl/5.8.6/Archive/ line 1179 Archive::Zip::Archive::extractTree('Archive::Zip::Archive=HASH(0x8bf9d4c)', '', '/tmp/') called at -e line 1 Yet it could be done with unzip: su nobody -c 'unzip -d /tmp' -s /bin/sh Archive: creating: /tmp/test_dir/ extracting: /tmp/test_dir/test_file I suggest to make all arch items own-writable while extracting an arch tree (in extractToFileNamed called from extractTree) and then set properly all permissions after extraction (in extractTree) Suggested patch will be attached to the next post. After this patch has been applied, the attached is extracted perfectly. Best regards Alexey Kravchuk

Message body not shown because it is not plain text.

Here is a patch Best regards Alexey Kravchuk
diff -ru Archive-Zip-1.16.orig/lib/Archive/ Archive-Zip-1.16/lib/Archive/ --- Archive-Zip-1.16.orig/lib/Archive/ 2005-07-04 21:46:49.000000000 +0400 +++ Archive-Zip-1.16/lib/Archive/ 2005-08-11 16:36:51.325178541 +0400 @@ -1187,9 +1187,28 @@ $fileName =~ s{$pattern}{$dest}; # in Unix format # convert to platform format: $fileName = Archive::Zip::_asLocalName( $fileName, $volume ); + $member->{ownWritable} = 1; my $status = $member->extractToFileNamed($fileName); + delete $member->{ownWritable}; return $status if $status != AZ_OK; } + + + # Dirs were made own-writable when they were extracted + # to allow further extraction in the dirs by non-root users. + # Here all dir/file modes should be set properly. + foreach my $member ( @members ) { + + my $fileName = $member->fileName(); # in Unix format + $fileName =~ s{$pattern}{$dest}; # in Unix format + # convert to platform format: + $fileName = Archive::Zip::_asLocalName( $fileName, $volume ); + + chmod $member->unixFileAttributes() & 07777, $fileName or warn "Can't chmod() $fileName: $!"; + + utime( $member->lastModTime(), $member->lastModTime(), $fileName ); + } + return AZ_OK; } @@ -2431,6 +2450,14 @@ my $self = shift; my $name = shift; # local FS name my $attribs = $self->unixFileAttributes() & 07777; + + # Dirs should be made own-writable while extracting from an arch. + # It is necessary to further extract items into the dir, + # if this is made by non-root user. + # Later, when the whole extraction is complete, all file/dir modes + # should be set properly. + $attribs |= 0700 if $self->{ownWritable}; + mkpath( $name, 0, $attribs ); # croaks on error utime( $self->lastModTime(), $self->lastModTime(), $name ); return AZ_OK;
Hi, Is there any chance we could get this (or another solution to the same issue) rolled into a forthcoming release? We're hitting what appears to be this issue in a live deployment. My apologies if it's unrelated, but I couldn't see anything in the changelog that suggested this patch had been applied or issue resolved. Thanks :) Rob On Fri Aug 12 04:42:16 2005, guest wrote:
Show quoted text
> Here is a patch > > Best regards > Alexey Kravchuk

This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with to