rubyzip 3.0.0.alpha → 3.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd95bfed4ea9c320051f039341277893bedc591147c093a4c527082b81eb6ae3
-  data.tar.gz: ea955185220e2d566bb8c843bd76dd2b076ca1b4353f3d1c1c5910522a2e3d7c
+  metadata.gz: 2840381c70e4bc8b3fbbfc003e4caf71dab05301621a411b44dc16cd962ca4fb
+  data.tar.gz: 75199ebb2cf53b8a53b930a0ef908773328b4cab2dadef4839fe8194fced289c
 SHA512:
-  metadata.gz: 74dc66a56c1b5e899ba2d683dd4f147be5f301f1d51d86d5d9f027c4c9a74beb48135aaec72e304dd9b8ff92d4f0f2f429d4ab0e0eb5b19c9322bdcf5b66ddea
-  data.tar.gz: 0ad96c3aa4ab42648abdfa8e60d7360a17bc0543d6116a70bd4679f7a9b5da57c1f1d3580bb5e1d7b9d9c8a87b76e084a8f759c4bfacf99e6dca8580d85bf2a7
+  metadata.gz: 1716ef6a03ee08773e4dba640be0fe0e294e4a955b2535d5049dd62c37cc82e161827c2e226c9b93c883f6789c9f275d30e267733038aee59e2c4a80f55193e1
+  data.tar.gz: b4b320f64167dd5f464e45d61d49b2e49619bc356cd2d59f617dfd8ebe7a1be5724e294bab2498186dde951cfd7453a5a4b09f15fd6f88f9872234956182241a

data/Changelog.md

@@ -1,5 +1,21 @@
 # 3.0.0 (Next)
 
+- Fix `File#write_buffer` to always return the given `io`.
+- Add `Entry#absolute_time?` and `DOSTime#absolute_time?` methods.
+- Use explicit named parameters for `File` methods.
+- Ensure that entries can be extracted safely without path traversal. [#540](https://github.com/rubyzip/rubyzip/issues/540)
+- Enable Zip64 by default.
+- Rename `GPFBit3Error` to `StreamingError`.
+- Ensure that `Entry.ftype` is correct via `InputStream`. [#533](https://github.com/rubyzip/rubyzip/issues/533)
+- Add `Entry#zip64?` as a better way detect Zip64 entries.
+- Implement `Zip::FileSystem::ZipFsFile#symlink?`.
+- Remove `File::add_buffer` from the API.
+- Fix `OutputStream#put_next_entry` to preserve `StreamableStream`s. [#503](https://github.com/rubyzip/rubyzip/issues/503)
+- Ensure `File.open_buffer` doesn't rewrite unchanged data.
+- Add `CentralDirectory#count_entries` and `File::count_entries`.
+- Fix reading unknown extra fields. [#505](https://github.com/rubyzip/rubyzip/issues/505)
+- Fix reading zip files with max length file comment. [#508](https://github.com/rubyzip/rubyzip/issues/508)
+- Fix reading zip64 files with max length file comment. [#509](https://github.com/rubyzip/rubyzip/issues/509)
 - Don't silently alter zip files opened with `Zip::sort_entries`. [#329](https://github.com/rubyzip/rubyzip/issues/329)
 - Use named parameters for optional arguments in the public API.
 - Raise an error if entry names exceed 65,535 characters. [#247](https://github.com/rubyzip/rubyzip/issues/247)
@@ -23,6 +39,18 @@
 
 Tooling/internal:
 
+- Update the README with new Ruby version compatability information.
+- Fix various issues with JRuby tests.
+- Update gem dependency versions.
+- Add Ruby 3.4 to the CI.
+- Fix mispelled variable names in the crypto classes.
+- Only use the Zip64 CDIR end locator if needed.
+- Prevent unnecessary Zip64 data being stored.
+- Abstract marking various things as 'dirty' into `Dirtyable` for reuse.
+- Properly test `File#mkdir`.
+- Remove unused private method `File#directory?`.
+- Expose the `EntrySet` more cleanly through `CentralDirectory`.
+- `Zip::File` no longer subclasses `Zip::CentralDirectory`.
 - Configure Coveralls to not report a failure on minor decreases of test coverage. [#491](https://github.com/rubyzip/rubyzip/issues/491)
 - Extract the file splitting code out into its own module.
 - Refactor, and tidy up, the `Zip::Filesystem` classes for improved maintainability.
@@ -38,6 +66,29 @@ Tooling/internal:
 - Update rubocop again and run it in CI. [#444](https://github.com/rubyzip/rubyzip/pull/444)
 - Fix a test that was incorrect on big-endian architectures. [#445](https://github.com/rubyzip/rubyzip/pull/445)
 
+# 2.4.1 (2025-01-05)
+
+*This is a re-release of version 2.4 with a full version number string. We need to move to version 2.4.1 due to the canonical version number 2.4 now being taken in Rubygems.*
+
+Tooling:
+
+- Opt-in for MFA requirement explicitly on 2.4 branch.
+
+# 2.4 (2025-01-04) - Yanked
+
+*Yanked due to incorrect version number format (2.4 vs 2.4.0).*
+
+- Ensure compatibility with `--enable-frozen-string-literal`.
+- Ensure `File.open_buffer` doesn't rewrite unchanged data. This is a backport of the fix on the 3.x branch.
+- Enable use of the version 3 calling style (mainly named parameters) wherever possible, while retaining version 2.x compatibility.
+- Add (switchable) warning messages to methods that are changed or removed in version 3.x.
+
+Tooling:
+
+- Switch to using GitHub Actions (from Travis).
+- Update Rubocop versions and configuration.
+- Update actions with latest rubies.
+
 # 2.3.2 (2021-07-05)
 
 - A "dummy" release to warn about breaking changes coming in version 3.0. This updated version uses the Gem `post_install_message` instead of printing to `STDERR`.

data/LICENSE.md

@@ -0,0 +1,24 @@
+BSD 2-Clause License
+
+Copyright (c) 2002-2025, The Rubyzip Developers
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -22,9 +22,9 @@ The public API of some classes has been modernized to use named parameters for o
 
 ## Requirements
 
-Version 3.x requires at least Ruby 2.5.
+Version 3.x requires at least Ruby 3.0.
 
-Version 2.x requires at least Ruby 2.4, and is known to work on Ruby 3.1.
+Version 2.x requires at least Ruby 2.4, and is known to work on Ruby 3.x.
 
 It is not recommended to use any versions of Rubyzip earlier than 2.3 due to security issues.
 
@@ -205,6 +205,27 @@ Any attempt to move about in a zip file opened with `Zip::InputStream` could res
 
 Rubyzip supports reading/writing zip files with traditional zip encryption (a.k.a. "ZipCrypto"). AES encryption is not yet supported. It can be used with buffer streams, e.g.:
 
+#### Version 2.x
+
+```ruby
+# Writing.
+enc = Zip::TraditionalEncrypter.new('password')
+buffer = Zip::OutputStream.write_buffer(::StringIO.new(''), enc) do |output|
+  output.put_next_entry("my_file.txt")
+  output.write my_data
+end
+
+# Reading.
+dec = Zip::TraditionalDecrypter.new('password')
+Zip::InputStream.open(buffer, 0, dec) do |input|
+  entry = input.get_next_entry
+  puts "Contents of '#{entry.name}':"
+  puts input.read
+end
+```
+
+#### Version 3.x
+
 ```ruby
 # Writing.
 enc = Zip::TraditionalEncrypter.new('password')
@@ -338,12 +359,14 @@ end
 
 ### Zip64 Support
 
-By default, Zip64 support is enabled for writing. To disable it do this:
+Since version 3.0, Zip64 support is enabled for writing by default. To disable it do this:
 
 ```ruby
 Zip.write_zip64_support = false
 ```
 
+Prior to version 3.0, Zip64 support is disabled for writing by default.
+
 _NOTE_: If Zip64 write support is enabled then any extractor subsequently used may also require Zip64 support to read from the resultant archive.
 
 ### Block Form
@@ -365,21 +388,24 @@ Rubyzip is known to run on a number of platforms and under a number of different
 
 ### Version 2.3.x
 
-Rubyzip 2.3 is known to work on MRI 2.4 to 3.1 on Linux and Mac, and JRuby and Truffleruby on Linux. There are known issues with Windows which have been fixed on the development branch. Please [let us know](https://github.com/rubyzip/rubyzip/pulls) if you know Rubyzip 2.3 works on a platform/Ruby combination not listed here, or [raise an issue](https://github.com/rubyzip/rubyzip/issues) if you see a failure where we think it should work.
+Rubyzip 2.3 is known to work on MRI 2.4 to 3.4 on Linux and Mac, and JRuby and Truffleruby on Linux. There are known issues with Windows which have been fixed on the development branch. Please [let us know](https://github.com/rubyzip/rubyzip/pulls) if you know Rubyzip 2.3 works on a platform/Ruby combination not listed here, or [raise an issue](https://github.com/rubyzip/rubyzip/issues) if you see a failure where we think it should work.
 
 ### Next (version 3.0.0)
 
 Please see the table below for what we think the current situation is. Note: an empty cell means "unknown", not "does not work".
 
-| OS/Ruby | 2.5 | 2.6 | 2.7 | 3.0 | 3.1 | 3.1 +YJIT | Head | Head +YJIT | JRuby 9.3.2.0 | JRuby Head | Truffleruby 21.3.0 | Truffleruby Head |
-|---------|-----|-----|-----|-----|-----|----------|------|-----------|----------------|------------|--------------------|------------------|
-|Ubuntu 20.04.3| CI | CI | CI | CI | CI | ci | ci | ci | CI | ci | CI | ci |
-|Mac OS 11.6.2| CI | x | x | x | x | ci |  | ci | x |  | x |  |
-|Windows 10|  |  | x |  |  |  |  |  |  |  |  |  |
-|Windows Server 2019| CI |  |  |  |  |  |  |  |  |  |  |  |
+| OS/Ruby | 3.0 | 3.1 | 3.2 | 3.3 | 3.4 | Head | JRuby 9.4.9.0 | JRuby Head | Truffleruby 24.1.1 | Truffleruby Head |
+|---------|-----|-----|-----|-----|-----|------|---------------|------------|--------------------|------------------|
+|Ubuntu 22.04| CI | CI | CI | CI | CI | ci | CI | ci | CI | ci |
+|Mac OS 14.7.2| CI | CI | CI | CI | CI | ci | x |  | x |  |
+|Windows Server 2022| CI |  |  |  | CI&nbsp;mswin</br>CI&nbsp;ucrt |  |  |  |  |  |
 
 Key: `CI` - tested in CI, should work; `ci` - tested in CI, might fail; `x` - known working; `o` - known failing.
 
+Rubies 3.1+ are also tested separately with YJIT turned on (Ubuntu and Mac OS).
+
+See [the Actions tab](https://github.com/rubyzip/rubyzip/actions) in GitHub for full details.
+
 Please [raise a PR](https://github.com/rubyzip/rubyzip/pulls) if you know Rubyzip works on a platform/Ruby combination not listed here, or [raise an issue](https://github.com/rubyzip/rubyzip/issues) if you see a failure where we think it should work.
 
 ## Developing
@@ -422,8 +448,7 @@ See https://github.com/rubyzip/rubyzip/graphs/contributors for a comprehensive l
 
 ## License
 
-Rubyzip is distributed under the same license as ruby. See
-http://www.ruby-lang.org/en/LICENSE.txt
+Rubyzip is distributed under the same license as Ruby. In practice this means you can use it under the terms of the Ruby License or the 2-Clause BSD License. See https://www.ruby-lang.org/en/about/license.txt and LICENSE.md for details.
 
 ## Research notice
 Please note that this repository is participating in a study into sustainability

data/Rakefile

@@ -19,7 +19,7 @@ RDoc::Task.new do |rdoc|
   rdoc.rdoc_files.include('README.md', 'lib/**/*.rb')
   rdoc.options << '--markup=markdown'
   rdoc.options << '--tab-width=2'
-  rdoc.options << "-t Rubyzip version #{::Zip::VERSION}"
+  rdoc.options << "-t Rubyzip version #{Zip::VERSION}"
 end
 
 RuboCop::RakeTask.new

data/lib/zip/central_directory.rb

@@ -28,7 +28,7 @@ module Zip
 
     mark_dirty :<<, :comment=, :delete
 
-    def initialize(entries = EntrySet.new, comment = '') #:nodoc:
+    def initialize(entries = EntrySet.new, comment = '') # :nodoc:
       super(dirty_on_create: false)
       @entry_set = entries.kind_of?(EntrySet) ? entries : EntrySet.new(entries)
       @comment   = comment
@@ -39,7 +39,7 @@ module Zip
       read_central_directory_entries(io)
     end
 
-    def write_to_stream(io) #:nodoc:
+    def write_to_stream(io) # :nodoc:
       cdir_offset = io.tell
       @entry_set.each { |entry| entry.write_c_dir_entry(io) }
       eocd_offset = io.tell
@@ -61,7 +61,7 @@ module Zip
       @size
     end
 
-    def ==(other) #:nodoc:
+    def ==(other) # :nodoc:
       return false unless other.kind_of?(CentralDirectory)
 
       @entry_set.entries.sort == other.entries.sort && comment == other.comment
@@ -69,7 +69,7 @@ module Zip
 
     private
 
-    def write_e_o_c_d(io, offset, cdir_size) #:nodoc:
+    def write_e_o_c_d(io, offset, cdir_size) # :nodoc:
       tmp = [
         END_OF_CD_SIG,
         0, # @numberOfThisDisk
@@ -84,7 +84,7 @@ module Zip
       io << @comment
     end
 
-    def write_64_e_o_c_d(io, offset, cdir_size) #:nodoc:
+    def write_64_e_o_c_d(io, offset, cdir_size) # :nodoc:
       tmp = [
         ZIP64_END_OF_CD_SIG,
         44, # size of zip64 end of central directory record (excludes signature and field itself)
@@ -110,7 +110,7 @@ module Zip
       io << tmp.pack('VVQ<V')
     end
 
-    def unpack_64_e_o_c_d(buffer) #:nodoc:
+    def unpack_64_e_o_c_d(buffer) # :nodoc:
       _, # ZIP64_END_OF_CD_SIG. We know we have this at this point.
       @size_of_zip64_e_o_c_d,
       @version_made_by,
@@ -134,14 +134,14 @@ module Zip
                                end
     end
 
-    def unpack_64_eocd_locator(buffer) #:nodoc:
+    def unpack_64_eocd_locator(buffer) # :nodoc:
       _, # ZIP64_EOCD_LOCATOR_SIG. We know we have this at this point.
       _, zip64_eocd_offset, = buffer.unpack('VVQ<V')
 
       zip64_eocd_offset
     end
 
-    def unpack_e_o_c_d(buffer) #:nodoc:
+    def unpack_e_o_c_d(buffer) # :nodoc:
       _, # END_OF_CD_SIG. We know we have this at this point.
       num_disk,
       num_disk_cdir,
@@ -165,7 +165,7 @@ module Zip
                  end
     end
 
-    def read_central_directory_entries(io) #:nodoc:
+    def read_central_directory_entries(io) # :nodoc:
       # `StringIO` doesn't raise `EINVAL` if you seek beyond the current end,
       # so we need to catch that *and* query `io#eof?` here.
       eof = false
@@ -209,7 +209,7 @@ module Zip
       io.read(e_len)
     end
 
-    def read_eocds(io) #:nodoc:
+    def read_eocds(io) # :nodoc:
       base_location, data = eocd_data(io)
 
       eocd_location = data.rindex([END_OF_CD_SIG].pack('V'))

data/lib/zip/constants.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module Zip
+  # :stopdoc:
+
   RUNNING_ON_WINDOWS = RbConfig::CONFIG['host_os'] =~ /mswin|mingw|cygwin/i
 
   CENTRAL_DIRECTORY_ENTRY_SIGNATURE = 0x02014b50
@@ -116,4 +118,6 @@ module Zip
     COMPRESSION_METHOD_PPMD        => 'PPMd version I, Rev 1',
     COMPRESSION_METHOD_AES         => 'AES encryption'
   }.freeze
+
+  # :startdoc:
 end

data/lib/zip/crypto/decrypted_io.rb

@@ -18,7 +18,7 @@ module Zip
         buffer << produce_input
       end
 
-      outbuf.replace(buffer.slice!(0...(length || output_buffer.bytesize)))
+      outbuf.replace(buffer.slice!(0...(length || buffer.bytesize)))
     end
 
     private

data/lib/zip/crypto/null_encryption.rb

@@ -22,7 +22,7 @@ module Zip
       data
     end
 
-    def data_descriptor(_crc32, _compressed_size, _uncomprssed_size)
+    def data_descriptor(_crc32, _compressed_size, _uncompressed_size)
       ''
     end
 

data/lib/zip/crypto/traditional_encryption.rb

@@ -28,7 +28,7 @@ module Zip
 
     def update_keys(num)
       @key0 = ~Zlib.crc32(num, ~@key0)
-      @key1 = ((@key1 + (@key0 & 0xff)) * 134_775_813 + 1) & 0xffffffff
+      @key1 = (((@key1 + (@key0 & 0xff)) * 134_775_813) + 1) & 0xffffffff
       @key2 = ~Zlib.crc32((@key1 >> 24).chr, ~@key2)
     end
 
@@ -55,8 +55,8 @@ module Zip
       data.unpack('C*').map { |x| encode x }.pack('C*')
     end
 
-    def data_descriptor(crc32, compressed_size, uncomprssed_size)
-      [0x08074b50, crc32, compressed_size, uncomprssed_size].pack('VVVV')
+    def data_descriptor(crc32, compressed_size, uncompressed_size)
+      [0x08074b50, crc32, compressed_size, uncompressed_size].pack('VVVV')
     end
 
     def reset!

data/lib/zip/dos_time.rb

@@ -16,6 +16,14 @@ module Zip
     # bits 5-8 month (1-12)
     # bits 9-15 year (four digit year minus 1980)
 
+    attr_writer :absolute_time # :nodoc:
+
+    def absolute_time?
+      # If absolute time is not set, we can assume it is an absolute time
+      # because times do have timezone information by default.
+      @absolute_time.nil? ? true : @absolute_time
+    end
+
     def to_binary_dos_time
       (sec / 2) +
         (min << 5) +
@@ -53,7 +61,9 @@ module Zip
       month  = (0b111100000 & bin_dos_date) >> 5
       year   = ((0b1111111000000000 & bin_dos_date) >> 9) + 1980
 
-      local(year, month, day, hour, minute, second)
+      time = local(year, month, day, hour, minute, second)
+      time.absolute_time = false
+      time
     end
 
     if defined? JRUBY_VERSION && Gem::Version.new(JRUBY_VERSION) < '9.2.18.0'