rubyzip 1.2.1 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1b7ea085db9b27be420d541113214a73ee044c9f
-  data.tar.gz: ea28ff723bfd70f2e6f7a02f4fe28b805aa4a47e
+  metadata.gz: 898367588fc593bddd565ee8626c75cfbcddfce2
+  data.tar.gz: 24d90fd344a11d8cf3b8098c459eb2c765e933e7
 SHA512:
-  metadata.gz: 121d7129aa37b72da82b32882401b7837c9cface1edf1b8bfb911cd20a55b2ecdacd308de9b7ed0cb6bc0b45d9d974faf28826efe191ddc36d3eb8431f8fe6f0
-  data.tar.gz: b1ef9770bcd133de33f61642665d511a11aff21aba880cf1226df0c8e1b3602833679384d76bf6877b19567406f7bd9a60de8bd78aded3f303660fbb80b31bb7
+  metadata.gz: 4f00c8c74720ba3bf103596601400f57e89d03cdd90b4423debd4c96ed6150a3db0fa8f7407201657cf6a7ee0b2e6586c7a284e1398dd1cf44c523799e1b25be
+  data.tar.gz: 3a434114b84d7b109e26aec4821b395ad100efda591ad004656c6b5fd8cdba3740e50c171409c726a9770996e0815ef0324c87063d975024642c6f89ba56377e

data/README.md

@@ -52,9 +52,9 @@ Zip::File.open(zipfile_name, Zip::File::CREATE) do |zipfile|
     # Two arguments:
     # - The name of the file as it will appear in the archive
     # - The original file, including the path to find it
-    zipfile.add(filename, folder + '/' + filename)
+    zipfile.add(filename, File.join(folder, filename))
   end
-  zipfile.get_output_stream("myFile") { |os| os.write "myFile contains just this" }
+  zipfile.get_output_stream("myFile") { |f| f.write "myFile contains just this" }
 end
 ```
 
@@ -85,36 +85,36 @@ class ZipFileGenerator
   def write
     entries = Dir.entries(@input_dir) - %w(. ..)
 
-    ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |io|
-      write_entries entries, '', io
+    ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |zipfile|
+      write_entries entries, '', zipfile
     end
   end
 
   private
 
   # A helper method to make the recursion work.
-  def write_entries(entries, path, io)
+  def write_entries(entries, path, zipfile)
     entries.each do |e|
-      zip_file_path = path == '' ? e : File.join(path, e)
-      disk_file_path = File.join(@input_dir, zip_file_path)
+      zipfile_path = path == '' ? e : File.join(path, e)
+      disk_file_path = File.join(@input_dir, zipfile_path)
       puts "Deflating #{disk_file_path}"
 
       if File.directory? disk_file_path
-        recursively_deflate_directory(disk_file_path, io, zip_file_path)
+        recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
       else
-        put_into_archive(disk_file_path, io, zip_file_path)
+        put_into_archive(disk_file_path, zipfile, zipfile_path)
       end
     end
   end
 
-  def recursively_deflate_directory(disk_file_path, io, zip_file_path)
-    io.mkdir zip_file_path
+  def recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
+    zipfile.mkdir zipfile_path
     subdir = Dir.entries(disk_file_path) - %w(. ..)
-    write_entries subdir, zip_file_path, io
+    write_entries subdir, zipfile_path, zipfile
   end
 
-  def put_into_archive(disk_file_path, io, zip_file_path)
-    io.get_output_stream(zip_file_path) do |f|
+  def put_into_archive(disk_file_path, zipfile, zipfile_path)
+    zipfile.get_output_stream(zipfile_path) do |f|
       f.write(File.open(disk_file_path, 'rb').read)
     end
   end
@@ -175,9 +175,8 @@ end
 
 But there is one exception when it is not working - General Purpose Flag Bit 3.
 
-```
-If bit 3 (0x08) of the general-purpose flags field is set, then the CRC-32 and file sizes are not known when the header is written. The fields in the local header are filled with zero, and the CRC-32 and size are appended in a 12-byte structure (optionally preceded by a 4-byte signature) immediately after the compressed data
-```
+> If bit 3 (0x08) of the general-purpose flags field is set, then the CRC-32 and file sizes are not known when the header is written. The fields in the local header are filled with zero, and the CRC-32 and size are appended in a 12-byte structure (optionally preceded by a 4-byte signature) immediately after the compressed data
+
 
 If `::Zip::InputStream` finds such entry in the zip archive it will raise an exception.
 
@@ -254,6 +253,14 @@ Zip.default_compression = Zlib::DEFAULT_COMPRESSION
 ```
 It defaults to `Zlib::DEFAULT_COMPRESSION`. Possible values are `Zlib::BEST_COMPRESSION`, `Zlib::DEFAULT_COMPRESSION` and `Zlib::NO_COMPRESSION`
 
+Sometimes file names inside zip contain non-ASCII characters. If you can assume which encoding was used for such names and want to be able to find such entries using `find_entry` then you can force assumed encoding like so:
+
+```ruby
+Zip.force_entry_names_encoding = 'UTF-8'
+```
+
+Allowed encoding names are the same as accepted by `String#force_encoding`
+
 You can set multiple settings at the same time by using a block:
 
 ```ruby

data/lib/zip.rb

@@ -34,7 +34,15 @@ require 'zip/errors'
 
 module Zip
   extend self
-  attr_accessor :unicode_names, :on_exists_proc, :continue_on_exists_proc, :sort_entries, :default_compression, :write_zip64_support, :warn_invalid_date, :case_insensitive_match
+  attr_accessor :unicode_names,
+                :on_exists_proc,
+                :continue_on_exists_proc,
+                :sort_entries,
+                :default_compression,
+                :write_zip64_support,
+                :warn_invalid_date,
+                :case_insensitive_match,
+                :force_entry_names_encoding
 
   def reset!
     @_ran_once = false

data/lib/zip/central_directory.rb

@@ -96,7 +96,7 @@ module Zip
       @size_in_bytes                                = Entry.read_zip_64_long(buf)
       @cdir_offset                                  = Entry.read_zip_64_long(buf)
       @zip_64_extensible                            = buf.slice!(0, buf.bytesize)
-      raise Error, 'Zip consistency problem while reading eocd structure' unless buf.size == 0
+      raise Error, 'Zip consistency problem while reading eocd structure' unless buf.empty?
     end
 
     def read_e_o_c_d(buf) #:nodoc:
@@ -113,7 +113,7 @@ module Zip
                                                       else
                                                         buf.read(comment_length)
                                                       end
-      raise Error, 'Zip consistency problem while reading eocd structure' unless buf.size == 0
+      raise Error, 'Zip consistency problem while reading eocd structure' unless buf.empty?
     end
 
     def read_central_directory_entries(io) #:nodoc:
@@ -130,7 +130,7 @@ module Zip
 
     def read_from_stream(io) #:nodoc:
       buf = start_buf(io)
-      if self.zip64_file?(buf)
+      if zip64_file?(buf)
         read_64_e_o_c_d(buf)
       else
         read_e_o_c_d(buf)

data/lib/zip/compressor.rb

@@ -1,7 +1,6 @@
 module Zip
   class Compressor #:nodoc:all
-    def finish
-    end
+    def finish; end
   end
 end
 

data/lib/zip/constants.rb

@@ -11,9 +11,9 @@ module Zip
   VERSION_NEEDED_TO_EXTRACT              = 20
   VERSION_NEEDED_TO_EXTRACT_ZIP64        = 45
 
-  FILE_TYPE_FILE    = 010
-  FILE_TYPE_DIR     = 004
-  FILE_TYPE_SYMLINK = 012
+  FILE_TYPE_FILE    = 0o10
+  FILE_TYPE_DIR     = 0o04
+  FILE_TYPE_SYMLINK = 0o12
 
   FSTYPE_FAT      = 0
   FSTYPE_AMIGA    = 1

data/lib/zip/crypto/null_encryption.rb

@@ -24,8 +24,7 @@ module Zip
       ''
     end
 
-    def reset!
-    end
+    def reset!; end
   end
 
   class NullDecrypter < Decrypter
@@ -35,8 +34,7 @@ module Zip
       data
     end
 
-    def reset!(_header)
-    end
+    def reset!(_header); end
   end
 end
 

data/lib/zip/decompressor.rb

@@ -1,5 +1,5 @@
 module Zip
-  class Decompressor  #:nodoc:all
+  class Decompressor #:nodoc:all
     CHUNK_SIZE = 32_768
     def initialize(input_stream)
       super()

data/lib/zip/dos_time.rb

@@ -19,7 +19,7 @@ module Zip
     end
 
     def to_binary_dos_date
-      (day) +
+      day +
         (month << 5) +
         ((year - 1980) << 9)
     end

data/lib/zip/entry.rb

@@ -99,7 +99,7 @@ module Zip
     end
 
     # Dynamic checkers
-    %w(directory file symlink).each do |k|
+    %w[directory file symlink].each do |k|
       define_method "#{k}?" do
         file_type_is?(k.to_sym)
       end
@@ -109,6 +109,17 @@ module Zip
       @name.end_with?('/')
     end
 
+    # Is the name a relative path, free of `..` patterns that could lead to
+    # path traversal attacks? This does NOT handle symlinks; if the path
+    # contains symlinks, this check is NOT enough to guarantee safety.
+    def name_safe?
+      cleanpath = Pathname.new(@name).cleanpath
+      return false unless cleanpath.relative?
+      root = ::File::SEPARATOR
+      naive_expanded_path = ::File.join(root, cleanpath.to_s)
+      cleanpath.expand_path(root).to_s == naive_expanded_path
+    end
+
     def local_entry_offset #:nodoc:all
       local_header_offset + @local_header_size
     end
@@ -147,14 +158,17 @@ module Zip
     end
 
     # Extracts entry to file dest_path (defaults to @name).
-    def extract(dest_path = @name, &block)
-      block ||= proc { ::Zip.on_exists_proc }
-
-      if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
-        puts "WARNING: skipped \"../\" path component(s) in #{@name}"
+    # NB: The caller is responsible for making sure dest_path is safe, if it
+    # is passed.
+    def extract(dest_path = nil, &block)
+      if dest_path.nil? && !name_safe?
+        puts "WARNING: skipped #{@name} as unsafe"
         return self
       end
 
+      dest_path ||= @name
+      block ||= proc { ::Zip.on_exists_proc }
+
       if directory? || file? || symlink?
         __send__("create_#{@ftype}", dest_path, &block)
       else
@@ -239,7 +253,10 @@ module Zip
       @name = io.read(@name_length)
       extra = io.read(@extra_length)
 
-      @name.gsub!('\\', '/')
+      @name.tr!('\\', '/')
+      if ::Zip.force_entry_names_encoding
+        @name.force_encoding(::Zip.force_entry_names_encoding)
+      end
 
       if extra && extra.bytesize != @extra_length
         raise ::Zip::Error, 'Truncated local zip entry header'
@@ -263,8 +280,8 @@ module Zip
        @time.to_binary_dos_time, # @last_mod_time              ,
        @time.to_binary_dos_date, # @last_mod_date              ,
        @crc,
-       (zip64 && zip64.compressed_size) ? 0xFFFFFFFF : @compressed_size,
-       (zip64 && zip64.original_size) ? 0xFFFFFFFF : @size,
+       zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
+       zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
        name_size,
        @extra ? @extra.local_size : 0].pack('VvvvvvVVVvv')
     end
@@ -308,7 +325,7 @@ module Zip
     def set_ftype_from_c_dir_entry
       @ftype = case @fstype
                when ::Zip::FSTYPE_UNIX
-                 @unix_perms = (@external_file_attributes >> 16) & 07777
+                 @unix_perms = (@external_file_attributes >> 16) & 0o7777
                  case (@external_file_attributes >> 28)
                  when ::Zip::FILE_TYPE_DIR
                    :directory
@@ -364,6 +381,9 @@ module Zip
       check_c_dir_entry_signature
       set_time(@last_mod_date, @last_mod_time)
       @name = io.read(@name_length)
+      if ::Zip.force_entry_names_encoding
+        @name.force_encoding(::Zip.force_entry_names_encoding)
+      end
       read_c_dir_extra_field(io)
       @comment = io.read(@comment_length)
       check_c_dir_entry_comment_size
@@ -384,14 +404,14 @@ module Zip
       stat        = file_stat(path)
       @unix_uid   = stat.uid
       @unix_gid   = stat.gid
-      @unix_perms = stat.mode & 07777
+      @unix_perms = stat.mode & 0o7777
     end
 
     def set_unix_permissions_on_path(dest_path)
       # BUG: does not update timestamps into account
       # ignore setuid/setgid bits by default.  honor if @restore_ownership
-      unix_perms_mask = 01777
-      unix_perms_mask = 07777 if @restore_ownership
+      unix_perms_mask = 0o1777
+      unix_perms_mask = 0o7777 if @restore_ownership
       ::FileUtils.chmod(@unix_perms & unix_perms_mask, dest_path) if @restore_permissions && @unix_perms
       ::FileUtils.chown(@unix_uid, @unix_gid, dest_path) if @restore_ownership && @unix_uid && @unix_gid && ::Process.egid == 0
       # File::utimes()
@@ -418,15 +438,15 @@ module Zip
         @time.to_binary_dos_time, # @last_mod_time                      ,
         @time.to_binary_dos_date, # @last_mod_date                      ,
         @crc,
-        (zip64 && zip64.compressed_size) ? 0xFFFFFFFF : @compressed_size,
-        (zip64 && zip64.original_size) ? 0xFFFFFFFF : @size,
+        zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
+        zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
         name_size,
         @extra ? @extra.c_dir_size : 0,
         comment_size,
-        (zip64 && zip64.disk_start_number) ? 0xFFFF : 0, # disk number start
+        zip64 && zip64.disk_start_number ? 0xFFFF : 0, # disk number start
         @internal_file_attributes, # file type (binary=0, text=1)
         @external_file_attributes, # native filesystem attributes
-        (zip64 && zip64.relative_header_offset) ? 0xFFFFFFFF : @local_header_offset,
+        zip64 && zip64.relative_header_offset ? 0xFFFFFFFF : @local_header_offset,
         @name,
         @extra,
         @comment
@@ -439,18 +459,18 @@ module Zip
       when ::Zip::FSTYPE_UNIX
         ft = case @ftype
              when :file
-               @unix_perms ||= 0644
+               @unix_perms ||= 0o644
                ::Zip::FILE_TYPE_FILE
              when :directory
-               @unix_perms ||= 0755
+               @unix_perms ||= 0o755
                ::Zip::FILE_TYPE_DIR
              when :symlink
-               @unix_perms ||= 0755
+               @unix_perms ||= 0o755
                ::Zip::FILE_TYPE_SYMLINK
              end
 
         unless ft.nil?
-          @external_file_attributes = (ft << 12 | (@unix_perms & 07777)) << 16
+          @external_file_attributes = (ft << 12 | (@unix_perms & 0o7777)) << 16
         end
       end
 
@@ -464,7 +484,7 @@ module Zip
     def ==(other)
       return false unless other.class == self.class
       # Compares contents of local entry and exposed fields
-      keys_equal = %w(compression_method crc compressed_size size name extra filepath).all? do |k|
+      keys_equal = %w[compression_method crc compressed_size size name extra filepath].all? do |k|
         other.__send__(k.to_sym) == __send__(k.to_sym)
       end
       keys_equal && time.dos_equals(other.time)
@@ -494,7 +514,7 @@ module Zip
         end
       else
         zis = ::Zip::InputStream.new(@zipfile, local_header_offset)
-        zis.instance_variable_set(:@internal, true)
+        zis.instance_variable_set(:@complete_entry, self)
         zis.get_next_entry
         if block_given?
           begin
@@ -607,32 +627,9 @@ module Zip
 
     # BUG: create_symlink() does not use &block
     def create_symlink(dest_path)
-      stat = nil
-      begin
-        stat = ::File.lstat(dest_path)
-      rescue Errno::ENOENT
-      end
-
-      io     = get_input_stream
-      linkto = io.read
-
-      if stat
-        if stat.symlink?
-          if ::File.readlink(dest_path) == linkto
-            return
-          else
-            raise ::Zip::DestinationFileExistsError,
-                  "Cannot create symlink '#{dest_path}'. " \
-                      'A symlink already exists with that name'
-          end
-        else
-          raise ::Zip::DestinationFileExistsError,
-                "Cannot create symlink '#{dest_path}'. " \
-                    'A file already exists with that name'
-        end
-      end
-
-      ::File.symlink(linkto, dest_path)
+      # TODO: Symlinks pose security challenges. Symlink support temporarily
+      # removed in view of https://github.com/rubyzip/rubyzip/issues/369 .
+      puts "WARNING: skipped symlink #{dest_path}"
     end
 
     # apply missing data from the zip64 extra information field, if present

data/lib/zip/entry_set.rb

@@ -5,7 +5,7 @@ module Zip
 
     def initialize(an_enumerable = [])
       super()
-      @entry_set   = {}
+      @entry_set = {}
       an_enumerable.each { |o| push(o) }
     end
 
@@ -33,9 +33,9 @@ module Zip
       entry if @entry_set.delete(to_key(entry))
     end
 
-    def each(&block)
+    def each
       @entry_set = sorted_entries.dup.each do |_, value|
-        block.call(value)
+        yield(value)
       end
     end
 

data/lib/zip/extra_field.rb

@@ -8,7 +8,7 @@ module Zip
 
     def extra_field_type_exist(binstr, id, len, i)
       field_name = ID_MAP[id].name
-      if self.member?(field_name)
+      if member?(field_name)
         self[field_name].merge(binstr[i, len + 4])
       else
         field_obj        = ID_MAP[id].new(binstr[i, len + 4])

data/lib/zip/extra_field/generic.rb

@@ -1,7 +1,7 @@
 module Zip
   class ExtraField::Generic
     def self.register_map
-      if self.const_defined?(:HEADER_ID)
+      if const_defined?(:HEADER_ID)
         ::Zip::ExtraField::ID_MAP[const_get(:HEADER_ID)] = self
       end
     end

data/lib/zip/extra_field/zip64_placeholder.rb

@@ -6,8 +6,7 @@ module Zip
     HEADER_ID = ['9999'].pack('H*') # this ID is used by other libraries such as .NET's Ionic.zip
     register_map
 
-    def initialize(_binstr = nil)
-    end
+    def initialize(_binstr = nil); end
 
     def pack_for_local
       "\x00" * 16