rubyzip 1.0.0 → 2.4.1

data/lib/zip/entry.rb

@@ -1,3 +1,4 @@
+require 'pathname'
 module Zip
   class Entry
     STORED   = 0
@@ -7,6 +8,7 @@ module Zip
 
     attr_accessor :comment, :compressed_size, :crc, :extra, :compression_method,
                   :name, :size, :local_header_offset, :zipfile, :fstype, :external_file_attributes,
+                  :internal_file_attributes,
                   :gp_flags, :header_signature, :follow_symlinks,
                   :restore_times, :restore_permissions, :restore_ownership,
                   :unix_uid, :unix_gid, :unix_perms,
@@ -15,13 +17,13 @@ module Zip
 
     def set_default_vars_values
       @local_header_offset      = 0
-      @local_header_size        = 0
+      @local_header_size        = nil # not known until local entry is created or read
       @internal_file_attributes = 1
       @external_file_attributes = 0
       @header_signature         = ::Zip::CENTRAL_DIRECTORY_ENTRY_SIGNATURE
 
       @version_needed_to_extract = VERSION_NEEDED_TO_EXTRACT
-      @version                   = 52 # this library's version
+      @version                   = VERSION_MADE_BY
 
       @ftype           = nil          # unspecified or unknown
       @filepath        = nil
@@ -32,48 +34,73 @@ module Zip
       end
       @follow_symlinks = false
 
-      @restore_times       = true
+      @restore_times       = false
       @restore_permissions = false
       @restore_ownership   = false
       # BUG: need an extra field to support uid/gid's
       @unix_uid            = nil
       @unix_gid            = nil
       @unix_perms          = nil
-      #@posix_acl = nil
-      #@ntfs_acl = nil
+      # @posix_acl = nil
+      # @ntfs_acl = nil
       @dirty               = false
     end
 
     def check_name(name)
-      if name.start_with?('/')
-        raise ::Zip::ZipEntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /"
-      end
+      return unless name.start_with?('/')
+
+      raise ::Zip::EntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /"
     end
 
-    def initialize(*args)
-      name = args[1] || ''
+    # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def initialize(zipfile = nil, name = nil, *args)
+      name ||= ''
       check_name(name)
 
       set_default_vars_values
       @fstype = ::Zip::RUNNING_ON_WINDOWS ? ::Zip::FSTYPE_FAT : ::Zip::FSTYPE_UNIX
 
-      @zipfile            = args[0] || ''
+      @zipfile            = zipfile || ''
       @name               = name
-      @comment            = args[2] || ''
-      @extra              = args[3] || ''
-      @compressed_size    = args[4] || 0
-      @crc                = args[5] || 0
-      @compression_method = args[6] || ::Zip::Entry::DEFLATED
-      @size               = args[7] || 0
-      @time               = args[8] || ::Zip::DOSTime.now
+
+      if (args_hash = args.first).kind_of?(::Hash)
+        @comment            = args_hash[:comment] || ''
+        @extra              = args_hash[:extra] || ''
+        @compressed_size    = args_hash[:compressed_size] || 0
+        @crc                = args_hash[:crc] || 0
+        @compression_method = args_hash[:compression_method] || ::Zip::Entry::DEFLATED
+        @size               = args_hash[:size] || 0
+        @time               = args_hash[:time] || ::Zip::DOSTime.now
+      else
+        Zip.warn_about_v3_api('Zip::Entry.new') unless args.empty?
+
+        @comment            = args[0] || ''
+        @extra              = args[1] || ''
+        @compressed_size    = args[2] || 0
+        @crc                = args[3] || 0
+        @compression_method = args[4] || ::Zip::Entry::DEFLATED
+        @size               = args[5] || 0
+        @time               = args[6] || ::Zip::DOSTime.now
+      end
 
       @ftype = name_is_directory? ? :directory : :file
-      @extra = ::Zip::ExtraField.new(@extra.to_s) unless ::Zip::ExtraField === @extra
+      @extra = ::Zip::ExtraField.new(@extra.to_s) unless @extra.kind_of?(::Zip::ExtraField)
+    end
+    # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+    def encrypted?
+      gp_flags & 1 == 1
+    end
+
+    def incomplete?
+      gp_flags & 8 == 8
     end
 
     def time
       if @extra['UniversalTime']
         @extra['UniversalTime'].mtime
+      elsif @extra['NTFS']
+        @extra['NTFS'].mtime
       else
         # Standard time field in central directory has local time
         # under archive creator. Then, we can't get timezone.
@@ -81,23 +108,24 @@ module Zip
       end
     end
 
-    alias :mtime :time
+    alias mtime time
 
     def time=(value)
-      unless @extra.member?('UniversalTime')
+      unless @extra.member?('UniversalTime') || @extra.member?('NTFS')
         @extra.create('UniversalTime')
       end
-      @extra['UniversalTime'].mtime = value
-      @time                         = value
+      (@extra['UniversalTime'] || @extra['NTFS']).mtime = value
+      @time = value
     end
 
     def file_type_is?(type)
-      raise ZipInternalError, "current filetype is unknown: #{self.inspect}" unless @ftype
+      raise InternalError, "current filetype is unknown: #{inspect}" unless @ftype
+
       @ftype == type
     end
 
     # Dynamic checkers
-    %w(directory file symlink).each do |k|
+    %w[directory file symlink].each do |k|
       define_method "#{k}?" do
         file_type_is?(k.to_sym)
       end
@@ -107,6 +135,18 @@ module Zip
       @name.end_with?('/')
     end
 
+    # Is the name a relative path, free of `..` patterns that could lead to
+    # path traversal attacks? This does NOT handle symlinks; if the path
+    # contains symlinks, this check is NOT enough to guarantee safety.
+    def name_safe?
+      cleanpath = Pathname.new(@name).cleanpath
+      return false unless cleanpath.relative?
+
+      root = ::File::SEPARATOR
+      naive_expanded_path = ::File.join(root, cleanpath.to_s)
+      ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
+    end
+
     def local_entry_offset #:nodoc:all
       local_header_offset + @local_header_size
     end
@@ -124,29 +164,66 @@ module Zip
     end
 
     def calculate_local_header_size #:nodoc:all
-      fix_zip64_sizes!
       LOCAL_ENTRY_STATIC_HEADER_LENGTH + name_size + extra_size
     end
 
+    # check before rewriting an entry (after file sizes are known)
+    # that we didn't change the header size (and thus clobber file data or something)
+    def verify_local_header_size!
+      return if @local_header_size.nil?
+
+      new_size = calculate_local_header_size
+      raise Error, "local header size changed (#{@local_header_size} -> #{new_size})" if @local_header_size != new_size
+    end
+
     def cdir_header_size #:nodoc:all
       CDIR_ENTRY_STATIC_HEADER_LENGTH + name_size +
         (@extra ? @extra.c_dir_size : 0) + comment_size
     end
 
     def next_header_offset #:nodoc:all
-      local_entry_offset + self.compressed_size
+      local_entry_offset + compressed_size + data_descriptor_size
     end
 
     # Extracts entry to file dest_path (defaults to @name).
-    def extract(dest_path = @name, &block)
+    # NB: The caller is responsible for making sure dest_path is safe, if it
+    # is passed.
+    def extract(dest_path = nil, &block)
+      Zip.warn_about_v3_api('Zip::Entry#extract')
+
+      if dest_path.nil? && !name_safe?
+        warn "WARNING: skipped '#{@name}' as unsafe."
+        return self
+      end
+
+      dest_path ||= @name
       block ||= proc { ::Zip.on_exists_proc }
 
-      if directory? || file? || symlink?
-        self.__send__("create_#{@ftype}", dest_path, &block)
-      else
-        raise RuntimeError, "unknown file type #{self.inspect}"
+      raise "unknown file type #{inspect}" unless directory? || file? || symlink?
+
+      __send__("create_#{@ftype}", dest_path, &block)
+      self
+    end
+
+    # Extracts this entry to a file at `entry_path`, with
+    # `destination_directory` as the base location in the filesystem.
+    #
+    # NB: The caller is responsible for making sure `destination_directory` is
+    # safe, if it is passed.
+    def extract_v3(entry_path = @name, destination_directory: '.', &block)
+      dest_dir = ::File.absolute_path(destination_directory || '.')
+      extract_path = ::File.absolute_path(::File.join(dest_dir, entry_path))
+
+      unless extract_path.start_with?(dest_dir)
+        warn "WARNING: skipped extracting '#{@name}' to '#{extract_path}' as unsafe."
+        return self
       end
 
+      block ||= proc { ::Zip.on_exists_proc }
+
+      raise "unknown file type #{inspect}" unless directory? || file? || symlink?
+
+      __send__(:"create_#{ftype}", extract_path, &block)
       self
     end
 
@@ -154,41 +231,41 @@ module Zip
       @name
     end
 
-    protected
-
     class << self
       def read_zip_short(io) # :nodoc:
-        io.read(2).unpack('v')[0]
+        io.read(2).unpack1('v')
       end
 
       def read_zip_long(io) # :nodoc:
-        io.read(4).unpack('V')[0]
+        io.read(4).unpack1('V')
       end
 
       def read_zip_64_long(io) # :nodoc:
-        io.read(8).unpack('V')[0]
+        io.read(8).unpack1('Q<')
       end
 
       def read_c_dir_entry(io) #:nodoc:all
-        entry = new(io.path)
+        path = if io.respond_to?(:path)
+                 io.path
+               else
+                 io
+               end
+        entry = new(path)
         entry.read_c_dir_entry(io)
         entry
-      rescue ZipError
+      rescue Error
         nil
       end
 
       def read_local_entry(io)
-        entry = new(io.path)
+        entry = new(io)
         entry.read_local_entry(io)
         entry
-      rescue ZipError
+      rescue Error
         nil
       end
-
     end
 
-    public
-
     def unpack_local_entry(buf)
       @header_signature,
         @version,
@@ -207,57 +284,67 @@ module Zip
     def read_local_entry(io) #:nodoc:all
       @local_header_offset = io.tell
 
-      static_sized_fields_buf = io.read(::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH)
+      static_sized_fields_buf = io.read(::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH) || ''
 
       unless static_sized_fields_buf.bytesize == ::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH
-        raise ZipError, "Premature end of file. Not enough data for zip entry local header"
+        raise Error, 'Premature end of file. Not enough data for zip entry local header'
       end
 
       unpack_local_entry(static_sized_fields_buf)
 
       unless @header_signature == ::Zip::LOCAL_ENTRY_SIGNATURE
-        raise ::Zip::ZipError, "Zip local header magic not found at location '#{local_header_offset}'"
+        raise ::Zip::Error, "Zip local header magic not found at location '#{local_header_offset}'"
       end
+
       set_time(@last_mod_date, @last_mod_time)
 
       @name = io.read(@name_length)
       extra = io.read(@extra_length)
 
-      @name.gsub!('\\', '/')
+      @name.tr!('\\', '/')
+      if ::Zip.force_entry_names_encoding
+        @name.force_encoding(::Zip.force_entry_names_encoding)
+      end
 
       if extra && extra.bytesize != @extra_length
-        raise ::Zip::ZipError, "Truncated local zip entry header"
+        raise ::Zip::Error, 'Truncated local zip entry header'
+      end
+
+      if @extra.kind_of?(::Zip::ExtraField)
+        @extra.merge(extra) if extra
       else
-        if ::Zip::ExtraField === @extra
-          @extra.merge(extra)
-        else
-          @extra = ::Zip::ExtraField.new(extra)
-        end
+        @extra = ::Zip::ExtraField.new(extra)
       end
+
+      parse_zip64_extra(true)
       @local_header_size = calculate_local_header_size
     end
 
     def pack_local_entry
+      zip64 = @extra['Zip64']
       [::Zip::LOCAL_ENTRY_SIGNATURE,
        @version_needed_to_extract, # version needed to extract
-       @gp_flags, # @gp_flags                  ,
+       @gp_flags, # @gp_flags
        @compression_method,
-       @time.to_binary_dos_time, # @last_mod_time              ,
-       @time.to_binary_dos_date, # @last_mod_date              ,
+       @time.to_binary_dos_time, # @last_mod_time
+       @time.to_binary_dos_date, # @last_mod_date
        @crc,
-       @compressed_size,
-       @size,
+       zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
+       zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
        name_size,
        @extra ? @extra.local_size : 0].pack('VvvvvvVVVvv')
     end
 
-    def write_local_entry(io) #:nodoc:all
+    def write_local_entry(io, rewrite = false) #:nodoc:all
+      prep_zip64_extra(true)
+      verify_local_header_size! if rewrite
       @local_header_offset = io.tell
 
       io << pack_local_entry
 
       io << @name
-      io << (@extra ? @extra.to_local_bin : '')
+      io << @extra.to_local_bin if @extra
+      @local_header_size = io.tell - @local_header_offset
     end
 
     def unpack_c_dir_entry(buf)
@@ -287,7 +374,7 @@ module Zip
     def set_ftype_from_c_dir_entry
       @ftype = case @fstype
                when ::Zip::FSTYPE_UNIX
-                 @unix_perms = (@external_file_attributes >> 16) & 07777
+                 @unix_perms = (@external_file_attributes >> 16) & 0o7777
                  case (@external_file_attributes >> 28)
                  when ::Zip::FILE_TYPE_DIR
                    :directory
@@ -296,8 +383,8 @@ module Zip
                  when ::Zip::FILE_TYPE_SYMLINK
                    :symlink
                  else
-                   #best case guess for whether it is a file or not
-                   #Otherwise this would be set to unknown and that entry would never be able to extracted
+                   # best case guess for whether it is a file or not
+                   # Otherwise this would be set to unknown and that entry would never be able to extracted
                    if name_is_directory?
                      :directory
                    else
@@ -314,25 +401,25 @@ module Zip
     end
 
     def check_c_dir_entry_static_header_length(buf)
-      unless buf.bytesize == ::Zip::CDIR_ENTRY_STATIC_HEADER_LENGTH
-        raise ZipError, 'Premature end of file. Not enough data for zip cdir entry header'
-      end
+      return if buf.bytesize == ::Zip::CDIR_ENTRY_STATIC_HEADER_LENGTH
+
+      raise Error, 'Premature end of file. Not enough data for zip cdir entry header'
     end
 
     def check_c_dir_entry_signature
-      unless header_signature == ::Zip::CENTRAL_DIRECTORY_ENTRY_SIGNATURE
-        raise ZipError, "Zip local header magic not found at location '#{local_header_offset}'"
-      end
+      return if header_signature == ::Zip::CENTRAL_DIRECTORY_ENTRY_SIGNATURE
+
+      raise Error, "Zip local header magic not found at location '#{local_header_offset}'"
     end
 
     def check_c_dir_entry_comment_size
-      unless @comment && @comment.bytesize == @comment_length
-        raise ::Zip::ZipError, "Truncated cdir zip entry header"
-      end
+      return if @comment && @comment.bytesize == @comment_length
+
+      raise ::Zip::Error, 'Truncated cdir zip entry header'
     end
 
     def read_c_dir_extra_field(io)
-      if @extra.is_a?(::Zip::ExtraField)
+      if @extra.kind_of?(::Zip::ExtraField)
         @extra.merge(io.read(@extra_length))
       else
         @extra = ::Zip::ExtraField.new(io.read(@extra_length))
@@ -345,70 +432,78 @@ module Zip
       unpack_c_dir_entry(static_sized_fields_buf)
       check_c_dir_entry_signature
       set_time(@last_mod_date, @last_mod_time)
-      @name = io.read(@name_length).gsub('\\', '/')
+      @name = io.read(@name_length)
+      if ::Zip.force_entry_names_encoding
+        @name.force_encoding(::Zip.force_entry_names_encoding)
+      end
       read_c_dir_extra_field(io)
       @comment = io.read(@comment_length)
       check_c_dir_entry_comment_size
       set_ftype_from_c_dir_entry
-      @local_header_size = calculate_local_header_size
+      parse_zip64_extra(false)
     end
 
     def file_stat(path) # :nodoc:
       if @follow_symlinks
-        ::File::stat(path)
+        ::File.stat(path)
       else
-        ::File::lstat(path)
+        ::File.lstat(path)
       end
     end
 
     def get_extra_attributes_from_path(path) # :nodoc:
-      unless Zip::RUNNING_ON_WINDOWS
-        stat        = file_stat(path)
-        @unix_uid   = stat.uid
-        @unix_gid   = stat.gid
-        @unix_perms = stat.mode & 07777
-      end
+      return if Zip::RUNNING_ON_WINDOWS
+
+      stat        = file_stat(path)
+      @unix_uid   = stat.uid
+      @unix_gid   = stat.gid
+      @unix_perms = stat.mode & 0o7777
+      @time = ::Zip::DOSTime.from_time(stat.mtime)
     end
 
-    def set_unix_permissions_on_path(dest_path)
-      # BUG: does not update timestamps into account
+    def set_unix_attributes_on_path(dest_path)
       # ignore setuid/setgid bits by default.  honor if @restore_ownership
-      unix_perms_mask = 01777
-      unix_perms_mask = 07777 if @restore_ownership
+      unix_perms_mask = 0o1777
+      unix_perms_mask = 0o7777 if @restore_ownership
       ::FileUtils.chmod(@unix_perms & unix_perms_mask, dest_path) if @restore_permissions && @unix_perms
       ::FileUtils.chown(@unix_uid, @unix_gid, dest_path) if @restore_ownership && @unix_uid && @unix_gid && ::Process.egid == 0
-      # File::utimes()
+
+      # Restore the timestamp on a file. This will either have come from the
+      # original source file that was copied into the archive, or from the
+      # creation date of the archive if there was no original source file.
+      ::FileUtils.touch(dest_path, mtime: time) if @restore_times
     end
 
     def set_extra_attributes_on_path(dest_path) # :nodoc:
-      return unless (file? || directory?)
+      return unless file? || directory?
 
       case @fstype
       when ::Zip::FSTYPE_UNIX
-        set_unix_permissions_on_path(dest_path)
+        set_unix_attributes_on_path(dest_path)
       end
     end
 
     def pack_c_dir_entry
+      zip64 = @extra['Zip64']
       [
         @header_signature,
         @version, # version of encoding software
         @fstype, # filesystem type
-        @version_needed_to_extract, # @versionNeededToExtract           ,
-        @gp_flags, # @gp_flags                          ,
+        @version_needed_to_extract, # @versionNeededToExtract
+        @gp_flags, # @gp_flags
         @compression_method,
-        @time.to_binary_dos_time, # @last_mod_time                      ,
-        @time.to_binary_dos_date, # @last_mod_date                      ,
+        @time.to_binary_dos_time, # @last_mod_time
+        @time.to_binary_dos_date, # @last_mod_date
         @crc,
-        @compressed_size,
-        @size,
+        zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
+        zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
         name_size,
         @extra ? @extra.c_dir_size : 0,
         comment_size,
-        0, # disk number start
+        zip64 && zip64.disk_start_number ? 0xFFFF : 0, # disk number start
         @internal_file_attributes, # file type (binary=0, text=1)
         @external_file_attributes, # native filesystem attributes
-        @local_header_offset,
+        zip64 && zip64.relative_header_offset ? 0xFFFFFFFF : @local_header_offset,
         @name,
         @extra,
         @comment
@@ -416,22 +511,23 @@ module Zip
     end
 
     def write_c_dir_entry(io) #:nodoc:all
+      prep_zip64_extra(false)
       case @fstype
       when ::Zip::FSTYPE_UNIX
         ft = case @ftype
              when :file
-               @unix_perms ||= 0644
+               @unix_perms ||= 0o644
                ::Zip::FILE_TYPE_FILE
              when :directory
-               @unix_perms ||= 0755
+               @unix_perms ||= 0o755
                ::Zip::FILE_TYPE_DIR
              when :symlink
-               @unix_perms ||= 0755
+               @unix_perms ||= 0o755
                ::Zip::FILE_TYPE_SYMLINK
              end
 
         unless ft.nil?
-          @external_file_attributes = (ft << 12 | (@unix_perms & 07777)) << 16
+          @external_file_attributes = (ft << 12 | (@unix_perms & 0o7777)) << 16
         end
       end
 
@@ -444,23 +540,24 @@ module Zip
 
     def ==(other)
       return false unless other.class == self.class
+
       # Compares contents of local entry and exposed fields
-      keys_equal = %w(compression_method crc compressed_size size name extra filepath).all? do |k|
-        other.__send__(k.to_sym) == self.__send__(k.to_sym)
+      keys_equal = %w[compression_method crc compressed_size size name extra filepath].all? do |k|
+        other.__send__(k.to_sym) == __send__(k.to_sym)
       end
-      keys_equal && self.time.dos_equals(other.time)
+      keys_equal && time == other.time
     end
 
-    def <=> (other)
-      self.to_s <=> other.to_s
+    def <=>(other)
+      to_s <=> other.to_s
     end
 
     # Returns an IO like object for the given ZipEntry.
     # Warning: may behave weird with symlinks.
     def get_input_stream(&block)
       if @ftype == :directory
-        yield(::Zip::NullInputStream.instance) if block_given?
-        ::Zip::NullInputStream.instance
+        yield ::Zip::NullInputStream if block_given?
+        ::Zip::NullInputStream
       elsif @filepath
         case @ftype
         when :file
@@ -474,7 +571,8 @@ module Zip
           raise "unknown @file_type #{@ftype}"
         end
       else
-        zis = ::Zip::InputStream.new(@zipfile, local_header_offset)
+        zis = ::Zip::InputStream.new(@zipfile, offset: local_header_offset)
+        zis.instance_variable_set(:@complete_entry, self)
         zis.get_next_entry
         if block_given?
           begin
@@ -494,22 +592,22 @@ module Zip
                when 'file'
                  if name_is_directory?
                    raise ArgumentError,
-                         "entry name '#{newEntry}' indicates directory entry, but "+
-                           "'#{src_path}' is not a directory"
+                         "entry name '#{newEntry}' indicates directory entry, but " \
+                             "'#{src_path}' is not a directory"
                  end
                  :file
                when 'directory'
-                 @name += "/" unless name_is_directory?
+                 @name += '/' unless name_is_directory?
                  :directory
                when 'link'
                  if name_is_directory?
                    raise ArgumentError,
-                         "entry name '#{newEntry}' indicates directory entry, but "+
-                           "'#{src_path}' is not a directory"
+                         "entry name '#{newEntry}' indicates directory entry, but " \
+                             "'#{src_path}' is not a directory"
                  end
                  :symlink
                else
-                 raise RuntimeError, "unknown file type: #{src_path.inspect} #{stat.inspect}"
+                 raise "unknown file type: #{src_path.inspect} #{stat.inspect}"
                end
 
       @filepath = src_path
@@ -518,9 +616,9 @@ module Zip
 
     def write_to_zip_output_stream(zip_output_stream) #:nodoc:all
       if @ftype == :directory
-        zip_output_stream.put_next_entry(self)
+        zip_output_stream.put_next_entry(self, nil, nil, ::Zip::Entry::STORED)
       elsif @filepath
-        zip_output_stream.put_next_entry(self, nil, nil, nil)
+        zip_output_stream.put_next_entry(self, nil, nil, compression_method || ::Zip::Entry::DEFLATED)
         get_input_stream { |is| ::Zip::IOExtras.copy_stream(zip_output_stream, is) }
       else
         zip_output_stream.copy_raw_entry(self)
@@ -530,11 +628,19 @@ module Zip
     def parent_as_string
       entry_name  = name.chomp('/')
       slash_index = entry_name.rindex('/')
-      slash_index ? entry_name.slice(0, slash_index+1) : nil
+      slash_index ? entry_name.slice(0, slash_index + 1) : nil
     end
 
     def get_raw_input_stream(&block)
-      ::File.open(@zipfile, "rb", &block)
+      if @zipfile.respond_to?(:seek) && @zipfile.respond_to?(:read)
+        yield @zipfile
+      else
+        ::File.open(@zipfile, 'rb', &block)
+      end
+    end
+
+    def clean_up
+      # By default, do nothing
     end
 
     private
@@ -542,35 +648,46 @@ module Zip
     def set_time(binary_dos_date, binary_dos_time)
       @time = ::Zip::DOSTime.parse_binary_dos_format(binary_dos_date, binary_dos_time)
     rescue ArgumentError
-      puts "Invalid date/time in zip entry"
+      warn 'WARNING: invalid date/time in zip entry.' if ::Zip.warn_invalid_date
     end
 
-    def create_file(dest_path, continue_on_exists_proc = proc { Zip.continue_on_exists_proc })
-      if ::File.exists?(dest_path) && !yield(self, dest_path)
-        raise ::Zip::ZipDestinationFileExistsError,
+    def create_file(dest_path, _continue_on_exists_proc = proc { Zip.continue_on_exists_proc })
+      if ::File.exist?(dest_path) && !yield(self, dest_path)
+        raise ::Zip::DestinationFileExistsError,
               "Destination '#{dest_path}' already exists"
       end
-      ::File.open(dest_path, "wb") do |os|
+      ::File.open(dest_path, 'wb') do |os|
         get_input_stream do |is|
-          set_extra_attributes_on_path(dest_path)
-
-          buf = ''
-          while buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf)
+          bytes_written = 0
+          warned = false
+          buf = +''
+          while (buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf))
             os << buf
+            bytes_written += buf.bytesize
+            next unless bytes_written > size && !warned
+
+            message = "entry '#{name}' should be #{size}B, but is larger when inflated."
+            raise ::Zip::EntrySizeError, message if ::Zip.validate_entry_sizes
+
+            warn "WARNING: #{message}"
+            warned = true
           end
         end
       end
+
+      set_extra_attributes_on_path(dest_path)
     end
 
     def create_directory(dest_path)
       return if ::File.directory?(dest_path)
-      if ::File.exists?(dest_path)
+
+      if ::File.exist?(dest_path)
         if block_given? && yield(self, dest_path)
-          ::FileUtils::rm_f dest_path
+          ::FileUtils.rm_f dest_path
         else
-          raise ::Zip::ZipDestinationFileExistsError,
-                "Cannot create directory '#{dest_path}'. "+
-                  "A file already exists with that name"
+          raise ::Zip::DestinationFileExistsError,
+                "Cannot create directory '#{dest_path}'. " \
+                    'A file already exists with that name'
         end
       end
       ::FileUtils.mkdir_p(dest_path)
@@ -579,41 +696,60 @@ module Zip
 
     # BUG: create_symlink() does not use &block
     def create_symlink(dest_path)
-      stat = nil
-      begin
-        stat = ::File.lstat(dest_path)
-      rescue Errno::ENOENT
-      end
+      # TODO: Symlinks pose security challenges. Symlink support temporarily
+      # removed in view of https://github.com/rubyzip/rubyzip/issues/369 .
+      warn "WARNING: skipped symlink '#{dest_path}'."
+    end
 
-      io     = get_input_stream
-      linkto = io.read
-
-      if stat
-        if stat.symlink?
-          if ::File.readlink(dest_path) == linkto
-            return
-          else
-            raise ZipDestinationFileExistsError,
-                  "Cannot create symlink '#{dest_path}'. "+
-                    "A symlink already exists with that name"
-          end
-        else
-          raise ZipDestinationFileExistsError,
-                "Cannot create symlink '#{dest_path}'. "+
-                  "A file already exists with that name"
-        end
+    # apply missing data from the zip64 extra information field, if present
+    # (required when file sizes exceed 2**32, but can be used for all files)
+    def parse_zip64_extra(for_local_header) #:nodoc:all
+      return if @extra['Zip64'].nil?
+
+      if for_local_header
+        @size, @compressed_size = @extra['Zip64'].parse(@size, @compressed_size)
+      else
+        @size, @compressed_size, @local_header_offset = @extra['Zip64'].parse(@size, @compressed_size, @local_header_offset)
       end
+    end
 
-      ::File.symlink(linkto, dest_path)
+    def data_descriptor_size
+      (@gp_flags & 0x0008) > 0 ? 16 : 0
     end
 
-    def fix_zip64_sizes! #:nodoc:all
-      if zip64 = @extra["Zip64"]
-        @size = zip64.original_size
-        @compressed_size = zip64.compressed_size
+    # create a zip64 extra information field if we need one
+    def prep_zip64_extra(for_local_header) #:nodoc:all
+      return unless ::Zip.write_zip64_support
+
+      need_zip64 = @size >= 0xFFFFFFFF || @compressed_size >= 0xFFFFFFFF
+      need_zip64 ||= @local_header_offset >= 0xFFFFFFFF unless for_local_header
+      if need_zip64
+        @version_needed_to_extract = VERSION_NEEDED_TO_EXTRACT_ZIP64
+        @extra.delete('Zip64Placeholder')
+        zip64 = @extra.create('Zip64')
+        if for_local_header
+          # local header always includes size and compressed size
+          zip64.original_size = @size
+          zip64.compressed_size = @compressed_size
+        else
+          # central directory entry entries include whichever fields are necessary
+          zip64.original_size = @size if @size >= 0xFFFFFFFF
+          zip64.compressed_size = @compressed_size if @compressed_size >= 0xFFFFFFFF
+          zip64.relative_header_offset = @local_header_offset if @local_header_offset >= 0xFFFFFFFF
+        end
+      else
+        @extra.delete('Zip64')
+
+        # if this is a local header entry, create a placeholder
+        # so we have room to write a zip64 extra field afterward
+        # (we won't know if it's needed until the file data is written)
+        if for_local_header
+          @extra.create('Zip64Placeholder')
+        else
+          @extra.delete('Zip64Placeholder')
+        end
       end
     end
-
   end
 end