Menu
▾
▴
#50 password argument shown in error output
Summary:
With version 3.0-8 (Ubuntu 14.0.04.5), the password used to encrypt a zip archive may be shown in zip's output.
Steps to reproduce:
1- On Ubuntu 14.04.5, issue the following command "zip -r myziparchive.zip -P <some_password> <some_inexistent_directory>"
2- Confirm the output you get is: "zip warning: name not matched: /tmp/BCP</some_inexistent_directory></some_password>
zip error: Nothing to do! (try: zip -r -P <some_password> myziparchive.zip . -i <some_inexistent_directory>)"
3- Confirm the output shows the password provided as argument to the zip command</some_inexistent_directory></some_password>
Additional info:
I know that providing a password as argument to the zip command is not recommended. Though, you support it and as such should not put at stake the password's confidentiality. I believe it's a security issue: zip's output , hence the password argument, might be stored in log files or automaticaly sent emails.
Other programs, loke mysql for example (see https://bazaar.launchpad.net/~mysql/mysql-server/5.5/view/head:/client/mysql.cc#L1734), sanitizes their password argument to prevent such leak, and I believe zip should do the same.
Thanks for report. For many other reasons, that whole "try: [...]"
suggested-command thing has been removed from the development code.
(Revealing a -P password is another good reason.) The next beta
release, Zip 3.1e, should be done soon, and that should include this
change.
Great!
Thanks for the feedback
Cyrille