rubyzip 1.1.7 → 1.3.0

data/lib/zip/crypto/null_encryption.rb

@@ -12,7 +12,7 @@ module Zip
   class NullEncrypter < Encrypter
     include NullEncryption
 
-    def header(mtime)
+    def header(_mtime)
       ''
     end
 
@@ -20,12 +20,11 @@ module Zip
       data
     end
 
-    def data_descriptor(crc32, compressed_size, uncomprssed_size)
+    def data_descriptor(_crc32, _compressed_size, _uncomprssed_size)
       ''
     end
 
-    def reset!
-    end
+    def reset!; end
   end
 
   class NullDecrypter < Decrypter
@@ -35,8 +34,7 @@ module Zip
       data
     end
 
-    def reset!(header)
-    end
+    def reset!(_header); end
   end
 end
 

data/lib/zip/crypto/traditional_encryption.rb

@@ -26,7 +26,7 @@ module Zip
 
     def update_keys(n)
       @key0 = ~Zlib.crc32(n, ~@key0)
-      @key1 = ((@key1 + (@key0 & 0xff)) * 134775813 + 1) & 0xffffffff
+      @key1 = ((@key1 + (@key0 & 0xff)) * 134_775_813 + 1) & 0xffffffff
       @key2 = ~Zlib.crc32((@key1 >> 24).chr, ~@key2)
     end
 
@@ -46,15 +46,15 @@ module Zip
         end
         header << (mtime.to_binary_dos_time & 0xff)
         header << (mtime.to_binary_dos_time >> 8)
-      end.map{|x| encode x}.pack("C*")
+      end.map { |x| encode x }.pack('C*')
     end
 
     def encrypt(data)
-      data.unpack("C*").map{|x| encode x}.pack("C*")
+      data.unpack('C*').map { |x| encode x }.pack('C*')
     end
 
     def data_descriptor(crc32, compressed_size, uncomprssed_size)
-      [0x08074b50, crc32, compressed_size, uncomprssed_size].pack("VVVV")
+      [0x08074b50, crc32, compressed_size, uncomprssed_size].pack('VVVV')
     end
 
     def reset!
@@ -74,7 +74,7 @@ module Zip
     include TraditionalEncryption
 
     def decrypt(data)
-      data.unpack("C*").map{|x| decode x}.pack("C*")
+      data.unpack('C*').map { |x| decode x }.pack('C*')
     end
 
     def reset!(header)

data/lib/zip/decompressor.rb

@@ -1,9 +1,9 @@
 module Zip
-  class Decompressor  #:nodoc:all
-    CHUNK_SIZE = 32768
+  class Decompressor #:nodoc:all
+    CHUNK_SIZE = 32_768
     def initialize(input_stream)
       super()
-      @input_stream=input_stream
+      @input_stream = input_stream
     end
   end
 end

data/lib/zip/deflater.rb

@@ -1,6 +1,5 @@
 module Zip
   class Deflater < Compressor #:nodoc:all
-
     def initialize(output_stream, level = Zip.default_compression, encrypter = NullEncrypter.new)
       super()
       @output_stream = output_stream
@@ -8,18 +7,21 @@ module Zip
       @size          = 0
       @crc           = ::Zlib.crc32
       @encrypter     = encrypter
-      @buffer_stream = ::StringIO.new('')
     end
 
-    def << (data)
+    def <<(data)
       val   = data.to_s
-      @crc  = Zlib::crc32(val, @crc)
+      @crc  = Zlib.crc32(val, @crc)
       @size += val.bytesize
-      @buffer_stream << @zlib_deflater.deflate(data)
+      buffer = @zlib_deflater.deflate(data)
+      if buffer.empty?
+        @output_stream
+      else
+        @output_stream << @encrypter.encrypt(buffer)
+      end
     end
 
     def finish
-      @output_stream << @encrypter.encrypt(@buffer_stream.string)
       @output_stream << @encrypter.encrypt(@zlib_deflater.finish) until @zlib_deflater.finished?
     end
 

data/lib/zip/dos_time.rb

@@ -1,7 +1,6 @@
 module Zip
   class DOSTime < Time #:nodoc:all
-
-    #MS-DOS File Date and Time format as used in Interrupt 21H Function 57H:
+    # MS-DOS File Date and Time format as used in Interrupt 21H Function 57H:
 
     # Register CX, the Time:
     # Bits 0-4  2 second increments (0-29)
@@ -14,20 +13,20 @@ module Zip
     # bits 9-15 year (four digit year minus 1980)
 
     def to_binary_dos_time
-      (sec/2) +
+      (sec / 2) +
         (min << 5) +
         (hour << 11)
     end
 
     def to_binary_dos_date
-      (day) +
+      day +
         (month << 5) +
         ((year - 1980) << 9)
     end
 
     # Dos time is only stored with two seconds accuracy
     def dos_equals(other)
-      to_i/2 == other.to_i/2
+      to_i / 2 == other.to_i / 2
     end
 
     def self.parse_binary_dos_format(binaryDosDate, binaryDosTime)
@@ -38,7 +37,7 @@ module Zip
       month  = (0b111100000 & binaryDosDate) >> 5
       year   = ((0b1111111000000000 & binaryDosDate) >> 9) + 1980
       begin
-        self.local(year, month, day, hour, minute, second)
+        local(year, month, day, hour, minute, second)
       end
     end
   end

data/lib/zip/entry.rb

@@ -1,3 +1,4 @@
+require 'pathname'
 module Zip
   class Entry
     STORED   = 0
@@ -7,6 +8,7 @@ module Zip
 
     attr_accessor :comment, :compressed_size, :crc, :extra, :compression_method,
                   :name, :size, :local_header_offset, :zipfile, :fstype, :external_file_attributes,
+                  :internal_file_attributes,
                   :gp_flags, :header_signature, :follow_symlinks,
                   :restore_times, :restore_permissions, :restore_ownership,
                   :unix_uid, :unix_gid, :unix_perms,
@@ -39,15 +41,14 @@ module Zip
       @unix_uid            = nil
       @unix_gid            = nil
       @unix_perms          = nil
-      #@posix_acl = nil
-      #@ntfs_acl = nil
+      # @posix_acl = nil
+      # @ntfs_acl = nil
       @dirty               = false
     end
 
     def check_name(name)
-      if name.start_with?('/')
-        raise ::Zip::EntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /"
-      end
+      return unless name.start_with?('/')
+      raise ::Zip::EntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /"
     end
 
     def initialize(*args)
@@ -68,7 +69,7 @@ module Zip
       @time               = args[8] || ::Zip::DOSTime.now
 
       @ftype = name_is_directory? ? :directory : :file
-      @extra = ::Zip::ExtraField.new(@extra.to_s) unless ::Zip::ExtraField === @extra
+      @extra = ::Zip::ExtraField.new(@extra.to_s) unless @extra.is_a?(::Zip::ExtraField)
     end
 
     def time
@@ -83,7 +84,7 @@ module Zip
       end
     end
 
-    alias :mtime :time
+    alias mtime time
 
     def time=(value)
       unless @extra.member?('UniversalTime') || @extra.member?('NTFS')
@@ -94,12 +95,12 @@ module Zip
     end
 
     def file_type_is?(type)
-      raise InternalError, "current filetype is unknown: #{self.inspect}" unless @ftype
+      raise InternalError, "current filetype is unknown: #{inspect}" unless @ftype
       @ftype == type
     end
 
     # Dynamic checkers
-    %w(directory file symlink).each do |k|
+    %w[directory file symlink].each do |k|
       define_method "#{k}?" do
         file_type_is?(k.to_sym)
       end
@@ -109,6 +110,17 @@ module Zip
       @name.end_with?('/')
     end
 
+    # Is the name a relative path, free of `..` patterns that could lead to
+    # path traversal attacks? This does NOT handle symlinks; if the path
+    # contains symlinks, this check is NOT enough to guarantee safety.
+    def name_safe?
+      cleanpath = Pathname.new(@name).cleanpath
+      return false unless cleanpath.relative?
+      root = ::File::SEPARATOR
+      naive_expanded_path = ::File.join(root, cleanpath.to_s)
+      ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
+    end
+
     def local_entry_offset #:nodoc:all
       local_header_offset + @local_header_size
     end
@@ -143,17 +155,25 @@ module Zip
     end
 
     def next_header_offset #:nodoc:all
-      local_entry_offset + self.compressed_size + data_descriptor_size
+      local_entry_offset + compressed_size + data_descriptor_size
     end
 
     # Extracts entry to file dest_path (defaults to @name).
-    def extract(dest_path = @name, &block)
+    # NB: The caller is responsible for making sure dest_path is safe, if it
+    # is passed.
+    def extract(dest_path = nil, &block)
+      if dest_path.nil? && !name_safe?
+        puts "WARNING: skipped #{@name} as unsafe"
+        return self
+      end
+
+      dest_path ||= @name
       block ||= proc { ::Zip.on_exists_proc }
 
       if directory? || file? || symlink?
-        self.__send__("create_#{@ftype}", dest_path, &block)
+        __send__("create_#{@ftype}", dest_path, &block)
       else
-        raise RuntimeError, "unknown file type #{self.inspect}"
+        raise "unknown file type #{inspect}"
       end
 
       self
@@ -163,8 +183,6 @@ module Zip
       @name
     end
 
-    protected
-
     class << self
       def read_zip_short(io) # :nodoc:
         io.read(2).unpack('v')[0]
@@ -179,11 +197,11 @@ module Zip
       end
 
       def read_c_dir_entry(io) #:nodoc:all
-        path = if io.is_a?(::IO)
-              io.path
-             else
-               io
-             end
+        path = if io.respond_to?(:path)
+                 io.path
+               else
+                 io
+               end
         entry = new(path)
         entry.read_c_dir_entry(io)
         entry
@@ -192,13 +210,12 @@ module Zip
       end
 
       def read_local_entry(io)
-        entry = self.new(io)
+        entry = new(io)
         entry.read_local_entry(io)
         entry
       rescue Error
         nil
       end
-
     end
 
     public
@@ -221,10 +238,10 @@ module Zip
     def read_local_entry(io) #:nodoc:all
       @local_header_offset = io.tell
 
-      static_sized_fields_buf = io.read(::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH)
+      static_sized_fields_buf = io.read(::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH) || ''
 
       unless static_sized_fields_buf.bytesize == ::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH
-        raise Error, "Premature end of file. Not enough data for zip entry local header"
+        raise Error, 'Premature end of file. Not enough data for zip entry local header'
       end
 
       unpack_local_entry(static_sized_fields_buf)
@@ -237,13 +254,16 @@ module Zip
       @name = io.read(@name_length)
       extra = io.read(@extra_length)
 
-      @name.gsub!('\\', '/')
+      @name.tr!('\\', '/')
+      if ::Zip.force_entry_names_encoding
+        @name.force_encoding(::Zip.force_entry_names_encoding)
+      end
 
       if extra && extra.bytesize != @extra_length
-        raise ::Zip::Error, "Truncated local zip entry header"
+        raise ::Zip::Error, 'Truncated local zip entry header'
       else
-        if ::Zip::ExtraField === @extra
-          @extra.merge(extra)
+        if @extra.is_a?(::Zip::ExtraField)
+          @extra.merge(extra) if extra
         else
           @extra = ::Zip::ExtraField.new(extra)
         end
@@ -256,13 +276,13 @@ module Zip
       zip64 = @extra['Zip64']
       [::Zip::LOCAL_ENTRY_SIGNATURE,
        @version_needed_to_extract, # version needed to extract
-       @gp_flags, # @gp_flags                  ,
+       @gp_flags, # @gp_flags
        @compression_method,
-       @time.to_binary_dos_time, # @last_mod_time              ,
-       @time.to_binary_dos_date, # @last_mod_date              ,
+       @time.to_binary_dos_time, # @last_mod_time
+       @time.to_binary_dos_date, # @last_mod_date
        @crc,
-       (zip64 && zip64.compressed_size) ? 0xFFFFFFFF : @compressed_size,
-       (zip64 && zip64.original_size) ? 0xFFFFFFFF : @size,
+       zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
+       zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
        name_size,
        @extra ? @extra.local_size : 0].pack('VvvvvvVVVvv')
     end
@@ -306,7 +326,7 @@ module Zip
     def set_ftype_from_c_dir_entry
       @ftype = case @fstype
                when ::Zip::FSTYPE_UNIX
-                 @unix_perms = (@external_file_attributes >> 16) & 07777
+                 @unix_perms = (@external_file_attributes >> 16) & 0o7777
                  case (@external_file_attributes >> 28)
                  when ::Zip::FILE_TYPE_DIR
                    :directory
@@ -315,8 +335,8 @@ module Zip
                  when ::Zip::FILE_TYPE_SYMLINK
                    :symlink
                  else
-                   #best case guess for whether it is a file or not
-                   #Otherwise this would be set to unknown and that entry would never be able to extracted
+                   # best case guess for whether it is a file or not
+                   # Otherwise this would be set to unknown and that entry would never be able to extracted
                    if name_is_directory?
                      :directory
                    else
@@ -333,21 +353,18 @@ module Zip
     end
 
     def check_c_dir_entry_static_header_length(buf)
-      unless buf.bytesize == ::Zip::CDIR_ENTRY_STATIC_HEADER_LENGTH
-        raise Error, 'Premature end of file. Not enough data for zip cdir entry header'
-      end
+      return if buf.bytesize == ::Zip::CDIR_ENTRY_STATIC_HEADER_LENGTH
+      raise Error, 'Premature end of file. Not enough data for zip cdir entry header'
     end
 
     def check_c_dir_entry_signature
-      unless header_signature == ::Zip::CENTRAL_DIRECTORY_ENTRY_SIGNATURE
-        raise Error, "Zip local header magic not found at location '#{local_header_offset}'"
-      end
+      return if header_signature == ::Zip::CENTRAL_DIRECTORY_ENTRY_SIGNATURE
+      raise Error, "Zip local header magic not found at location '#{local_header_offset}'"
     end
 
     def check_c_dir_entry_comment_size
-      unless @comment && @comment.bytesize == @comment_length
-        raise ::Zip::Error, "Truncated cdir zip entry header"
-      end
+      return if @comment && @comment.bytesize == @comment_length
+      raise ::Zip::Error, 'Truncated cdir zip entry header'
     end
 
     def read_c_dir_extra_field(io)
@@ -364,7 +381,10 @@ module Zip
       unpack_c_dir_entry(static_sized_fields_buf)
       check_c_dir_entry_signature
       set_time(@last_mod_date, @last_mod_time)
-      @name = io.read(@name_length).tr('\\', '/')
+      @name = io.read(@name_length)
+      if ::Zip.force_entry_names_encoding
+        @name.force_encoding(::Zip.force_entry_names_encoding)
+      end
       read_c_dir_extra_field(io)
       @comment = io.read(@comment_length)
       check_c_dir_entry_comment_size
@@ -374,33 +394,32 @@ module Zip
 
     def file_stat(path) # :nodoc:
       if @follow_symlinks
-        ::File::stat(path)
+        ::File.stat(path)
       else
-        ::File::lstat(path)
+        ::File.lstat(path)
       end
     end
 
     def get_extra_attributes_from_path(path) # :nodoc:
-      unless Zip::RUNNING_ON_WINDOWS
-        stat        = file_stat(path)
-        @unix_uid   = stat.uid
-        @unix_gid   = stat.gid
-        @unix_perms = stat.mode & 07777
-      end
+      return if Zip::RUNNING_ON_WINDOWS
+      stat        = file_stat(path)
+      @unix_uid   = stat.uid
+      @unix_gid   = stat.gid
+      @unix_perms = stat.mode & 0o7777
     end
 
     def set_unix_permissions_on_path(dest_path)
       # BUG: does not update timestamps into account
       # ignore setuid/setgid bits by default.  honor if @restore_ownership
-      unix_perms_mask = 01777
-      unix_perms_mask = 07777 if @restore_ownership
+      unix_perms_mask = 0o1777
+      unix_perms_mask = 0o7777 if @restore_ownership
       ::FileUtils.chmod(@unix_perms & unix_perms_mask, dest_path) if @restore_permissions && @unix_perms
       ::FileUtils.chown(@unix_uid, @unix_gid, dest_path) if @restore_ownership && @unix_uid && @unix_gid && ::Process.egid == 0
       # File::utimes()
     end
 
     def set_extra_attributes_on_path(dest_path) # :nodoc:
-      return unless (file? || directory?)
+      return unless file? || directory?
 
       case @fstype
       when ::Zip::FSTYPE_UNIX
@@ -414,21 +433,21 @@ module Zip
         @header_signature,
         @version, # version of encoding software
         @fstype, # filesystem type
-        @version_needed_to_extract, # @versionNeededToExtract           ,
-        @gp_flags, # @gp_flags                          ,
+        @version_needed_to_extract, # @versionNeededToExtract
+        @gp_flags, # @gp_flags
         @compression_method,
-        @time.to_binary_dos_time, # @last_mod_time                      ,
-        @time.to_binary_dos_date, # @last_mod_date                      ,
+        @time.to_binary_dos_time, # @last_mod_time
+        @time.to_binary_dos_date, # @last_mod_date
         @crc,
-        (zip64 && zip64.compressed_size) ? 0xFFFFFFFF : @compressed_size,
-        (zip64 && zip64.original_size) ? 0xFFFFFFFF : @size,
+        zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
+        zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
         name_size,
         @extra ? @extra.c_dir_size : 0,
         comment_size,
-        (zip64 && zip64.disk_start_number) ? 0xFFFF : 0, # disk number start
+        zip64 && zip64.disk_start_number ? 0xFFFF : 0, # disk number start
         @internal_file_attributes, # file type (binary=0, text=1)
         @external_file_attributes, # native filesystem attributes
-        (zip64 && zip64.relative_header_offset) ? 0xFFFFFFFF : @local_header_offset,
+        zip64 && zip64.relative_header_offset ? 0xFFFFFFFF : @local_header_offset,
         @name,
         @extra,
         @comment
@@ -441,18 +460,18 @@ module Zip
       when ::Zip::FSTYPE_UNIX
         ft = case @ftype
              when :file
-               @unix_perms ||= 0644
+               @unix_perms ||= 0o644
                ::Zip::FILE_TYPE_FILE
              when :directory
-               @unix_perms ||= 0755
+               @unix_perms ||= 0o755
                ::Zip::FILE_TYPE_DIR
              when :symlink
-               @unix_perms ||= 0755
+               @unix_perms ||= 0o755
                ::Zip::FILE_TYPE_SYMLINK
              end
 
         unless ft.nil?
-          @external_file_attributes = (ft << 12 | (@unix_perms & 07777)) << 16
+          @external_file_attributes = (ft << 12 | (@unix_perms & 0o7777)) << 16
         end
       end
 
@@ -466,14 +485,14 @@ module Zip
     def ==(other)
       return false unless other.class == self.class
       # Compares contents of local entry and exposed fields
-      keys_equal = %w(compression_method crc compressed_size size name extra filepath).all? do |k|
-        other.__send__(k.to_sym) == self.__send__(k.to_sym)
+      keys_equal = %w[compression_method crc compressed_size size name extra filepath].all? do |k|
+        other.__send__(k.to_sym) == __send__(k.to_sym)
       end
-      keys_equal && self.time.dos_equals(other.time)
+      keys_equal && time.dos_equals(other.time)
     end
 
-    def <=> (other)
-      self.to_s <=> other.to_s
+    def <=>(other)
+      to_s <=> other.to_s
     end
 
     # Returns an IO like object for the given ZipEntry.
@@ -496,6 +515,7 @@ module Zip
         end
       else
         zis = ::Zip::InputStream.new(@zipfile, local_header_offset)
+        zis.instance_variable_set(:@complete_entry, self)
         zis.get_next_entry
         if block_given?
           begin
@@ -515,8 +535,8 @@ module Zip
                when 'file'
                  if name_is_directory?
                    raise ArgumentError,
-                         "entry name '#{newEntry}' indicates directory entry, but "+
-                           "'#{src_path}' is not a directory"
+                         "entry name '#{newEntry}' indicates directory entry, but " \
+                             "'#{src_path}' is not a directory"
                  end
                  :file
                when 'directory'
@@ -525,12 +545,12 @@ module Zip
                when 'link'
                  if name_is_directory?
                    raise ArgumentError,
-                         "entry name '#{newEntry}' indicates directory entry, but "+
-                           "'#{src_path}' is not a directory"
+                         "entry name '#{newEntry}' indicates directory entry, but " \
+                             "'#{src_path}' is not a directory"
                  end
                  :symlink
                else
-                 raise RuntimeError, "unknown file type: #{src_path.inspect} #{stat.inspect}"
+                 raise "unknown file type: #{src_path.inspect} #{stat.inspect}"
                end
 
       @filepath = src_path
@@ -541,7 +561,7 @@ module Zip
       if @ftype == :directory
         zip_output_stream.put_next_entry(self, nil, nil, ::Zip::Entry::STORED)
       elsif @filepath
-        zip_output_stream.put_next_entry(self, nil, nil, self.compression_method || ::Zip::Entry::DEFLATED)
+        zip_output_stream.put_next_entry(self, nil, nil, compression_method || ::Zip::Entry::DEFLATED)
         get_input_stream { |is| ::Zip::IOExtras.copy_stream(zip_output_stream, is) }
       else
         zip_output_stream.copy_raw_entry(self)
@@ -551,14 +571,14 @@ module Zip
     def parent_as_string
       entry_name  = name.chomp('/')
       slash_index = entry_name.rindex('/')
-      slash_index ? entry_name.slice(0, slash_index+1) : nil
+      slash_index ? entry_name.slice(0, slash_index + 1) : nil
     end
 
     def get_raw_input_stream(&block)
-      if @zipfile.is_a?(::IO) || @zipfile.is_a?(::StringIO)
+      if @zipfile.respond_to?(:seek) && @zipfile.respond_to?(:read)
         yield @zipfile
       else
-        ::File.open(@zipfile, "rb", &block)
+        ::File.open(@zipfile, 'rb', &block)
       end
     end
 
@@ -571,21 +591,33 @@ module Zip
     def set_time(binary_dos_date, binary_dos_time)
       @time = ::Zip::DOSTime.parse_binary_dos_format(binary_dos_date, binary_dos_time)
     rescue ArgumentError
-      puts "Invalid date/time in zip entry" if ::Zip.warn_invalid_date
+      warn 'Invalid date/time in zip entry' if ::Zip.warn_invalid_date
     end
 
-    def create_file(dest_path, continue_on_exists_proc = proc { Zip.continue_on_exists_proc })
+    def create_file(dest_path, _continue_on_exists_proc = proc { Zip.continue_on_exists_proc })
       if ::File.exist?(dest_path) && !yield(self, dest_path)
         raise ::Zip::DestinationFileExistsError,
               "Destination '#{dest_path}' already exists"
       end
-      ::File.open(dest_path, "wb") do |os|
+      ::File.open(dest_path, 'wb') do |os|
         get_input_stream do |is|
           set_extra_attributes_on_path(dest_path)
 
-          buf = ''
-          while buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf)
+          bytes_written = 0
+          warned = false
+          buf = ''.dup
+          while (buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf))
             os << buf
+            bytes_written += buf.bytesize
+            if bytes_written > size && !warned
+              message = "Entry #{name} should be #{size}B but is larger when inflated"
+              if ::Zip.validate_entry_sizes
+                raise ::Zip::EntrySizeError, message
+              else
+                puts "WARNING: #{message}"
+                warned = true
+              end
+            end
           end
         end
       end
@@ -595,11 +627,11 @@ module Zip
       return if ::File.directory?(dest_path)
       if ::File.exist?(dest_path)
         if block_given? && yield(self, dest_path)
-          ::FileUtils::rm_f dest_path
+          ::FileUtils.rm_f dest_path
         else
           raise ::Zip::DestinationFileExistsError,
-                "Cannot create directory '#{dest_path}'. "+
-                  "A file already exists with that name"
+                "Cannot create directory '#{dest_path}'. " \
+                    'A file already exists with that name'
         end
       end
       ::FileUtils.mkdir_p(dest_path)
@@ -608,43 +640,19 @@ module Zip
 
     # BUG: create_symlink() does not use &block
     def create_symlink(dest_path)
-      stat = nil
-      begin
-        stat = ::File.lstat(dest_path)
-      rescue Errno::ENOENT
-      end
-
-      io     = get_input_stream
-      linkto = io.read
-
-      if stat
-        if stat.symlink?
-          if ::File.readlink(dest_path) == linkto
-            return
-          else
-            raise ::Zip::DestinationFileExistsError,
-                  "Cannot create symlink '#{dest_path}'. "+
-                    "A symlink already exists with that name"
-          end
-        else
-          raise ::Zip::DestinationFileExistsError,
-                "Cannot create symlink '#{dest_path}'. "+
-                  "A file already exists with that name"
-        end
-      end
-
-      ::File.symlink(linkto, dest_path)
+      # TODO: Symlinks pose security challenges. Symlink support temporarily
+      # removed in view of https://github.com/rubyzip/rubyzip/issues/369 .
+      puts "WARNING: skipped symlink #{dest_path}"
     end
 
     # apply missing data from the zip64 extra information field, if present
     # (required when file sizes exceed 2**32, but can be used for all files)
     def parse_zip64_extra(for_local_header) #:nodoc:all
-      if zip64 = @extra['Zip64']
-        if for_local_header
-          @size, @compressed_size = zip64.parse(@size, @compressed_size)
-        else
-          @size, @compressed_size, @local_header_offset = zip64.parse(@size, @compressed_size, @local_header_offset)
-        end
+      return if @extra['Zip64'].nil?
+      if for_local_header
+        @size, @compressed_size = @extra['Zip64'].parse(@size, @compressed_size)
+      else
+        @size, @compressed_size, @local_header_offset = @extra['Zip64'].parse(@size, @compressed_size, @local_header_offset)
       end
     end
 
@@ -656,10 +664,7 @@ module Zip
     def prep_zip64_extra(for_local_header) #:nodoc:all
       return unless ::Zip.write_zip64_support
       need_zip64 = @size >= 0xFFFFFFFF || @compressed_size >= 0xFFFFFFFF
-      unless for_local_header
-        need_zip64 ||= @local_header_offset >= 0xFFFFFFFF
-      end
-
+      need_zip64 ||= @local_header_offset >= 0xFFFFFFFF unless for_local_header
       if need_zip64
         @version_needed_to_extract = VERSION_NEEDED_TO_EXTRACT_ZIP64
         @extra.delete('Zip64Placeholder')
@@ -687,7 +692,6 @@ module Zip
         end
       end
     end
-
   end
 end