#51 unzip extract files even if password is expected

[Jean-François Têtu]

Using unzip 6.10b, it is possible to extract files from an unencrypted archive even when the "-P" parameter is used.

This means that if unzip is used to verify the origin of an encrypted package and it is passed an unencrypted archive, it will simply extract the files without error. This could be a security problem since the password protection can be circumvented by using a unencrypted archive.

[Jean-François Têtu]

Please see this patch for a proposed solution.

Thanks!

[Steven Schweda]

Thanks for the report and the suggested patch.

Using unzip 6.10b, it is possible to extract files from an unencrypted
archive even when the "-P" parameter is used.

The fundamental problem with this complaint is that there is no such
thing as "an unencrypted archive", only an encrypted member of an
archive. It's perfectly legal to mix encrypted members and unencrypted
members in a single archive. When a user supplies a password
(interactively, or using -P), UnZip will use it when it sees an
encrypted archive member, and ignore it when it sees an unencrypted
archive member.

Different archive members can have different compression methods
(including "Store" = no compression). They can have different
encryption methods (including none). On systems where files have
interesting attributes, they can have different file attributes (or
none). These are all properties of archive members, not of archives.

[...] it will simply extract the files without error.

That has always been the intended behavior.

This could be a security problem since the password protection can be
circumvented by using a unencrypted archive.

I'm open to a good counter-argument, but a change like the one you
suggest would break UnZip for many (previously) perfectly valid archives
which have mixed contents.

If you want to ensure package integrity and encryption, then it might
make more sense to use a separate encryption program (like, say, GnuPG)
on an archive, or to use Zip to encrypt an entire archive (as a file).

[Jean-François Têtu]

Hello. Thanks for the quick response!

The fundamental problem with this complaint is that there is no such
thing as "an unencrypted archive", only an encrypted member of an
archive. It's perfectly legal to mix encrypted members and unencrypted
members in a single archive.

Oh. Well in that case yes, my patch is quite useless. I did not think of the use-case where a user would add encrypted/protected members to an archive and then add some more members using other compression methods. What I wished for was that as soon as a member was encrypted, or protected, every other member would be encrypted as well.

That has always been the intended behavior.
Giving what I just realized, this is what I would expect as well :).

I'm open to a good counter-argument, but a change like the one you
suggest would break UnZip for many (previously) perfectly valid archives
which have mixed contents.

Maybe one solution would be to add another flag that would say something along the lines of "Ensure all members of an archive are encrypted". But something like I suggest would indeed break a lot of archives.

If you want to ensure package integrity and encryption, then it might
make more sense to use a separate encryption program (like, say, GnuPG)
on an archive, or to use Zip to encrypt an entire archive (as a file).

Yes I agree that something like GnuPG would be more appropriate, but I needed specifically Zip+password for what I neeed. I'll use the patched version locally, since it works for what I need and I understand that you cannot take this.

Thanks!