Based on some reviews stating how 'great' 7-Zip is, I downloaded the tool and started using it.
At first it appealed to me.
But it didn't take long before I ran into several serious bugs in 7-Zip, making this tool lose any value for me.
Therefor I hope the developer(s) of 7-Zip reads this and will take action.
As a 30-years experienced software-designer/-developer I know what I'm talking about.
My plan was to use this tool for grouping files in archives with Strong password protection.
So I created several archives. ....Until following issues (see below) were found.
I expected a Strong password protected archive to be mine, and mine only.
So it should be only ME who should be allowed to add, extract edit or delete files, or someone who I gave the password. It's NOT!
Issue 1: It appears that everybody can delete files from an archive, even if it is "protected" with a strong password.
Just by pressing DELETE!
As I also found in several tickets on this site, this issue is reported some time ago, but still there in the last version.
This makes any archive fully Worthless, as the content is NOT secured!
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 2: It appears that everybody can Add files to a strong password-protected archive, without 7-Zip asking for the password.
This way anybody can corrupt an archive, fill it with rubbish or -even worse- can add his/her file to a wrong archive, delete the original and will never find back where the file was stored.
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 3: As extention to Issue 2: that unintended adding of the file can be read by ANYBODY, added to the strong password-protected archive, without 7-Zip asking for any password. Wrong, wrong, wrong!
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 4: Trying to extract all files from the strong password-protected archive, BUT without giving a password OR giving a wrong password deliberately, caused 7-Zip to extract all files.
This is what Hackers test at first!
Files, added by accident without filling the password-boxes when adding the file to the archive or added on purpose but forgetting to fill the password-boxes, were EXTRACTED fully open and readable for anyone!
“Protected”-files were extracted also, but for those 7-Zip asked for the password. Only files with their filenames were created but with size 0. So meanwhile all filenames were visible, and could inform hackers if the archive would be interesting to explore or not.
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 5: ALL filenames and file-structures are visible to ANYBODY.
Even filenames from other included Zip-files (e.g. from WinZip) are shown.
This way hackers are given a way of deduction for the content of an archive.
There should be an option to ENCRYPT the filenames also.
The basic password-functionality of 7-Zip is wrong, very wrong.
Asking for passwords is lacking or done at the wrong points in the process of creating archives.
I strongly advise the developers to improve this functionality ASAP.
Hope to hear from you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, as Oleg suggested, all the OP needed to do was to select "also encrypt file names" checkbox, and all the problems he mentioned would be gone.
Plus, I dont' have issue 3 and 4 that the OP has. As said, Issue 1 adn 2, and 5 are not very serious problems, and they can be easily solved by file name encryption checkbox.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note that you can alter/modify/destroy contents of encrypted archive when option "Encrypt file names" is not set but you can't find out orginal content of this files, so in that case encryption works!
You can even change name of file(s) to be same as others, so when unpacking they will overvrite themselves. 7z archive is more restrictive.
Testing that kind of modified archive with properly entered password returns no errors.
The same is with newest WinRAR (5.40) with all wersions of rar and zip archives (you just have to add file(s) when in archive), when option "Encrypt file names" is not set. You can even add file(s) which different password than archive (and when testing you must properly provide chain of passwords to file to achive no errors message). So maybe it's not a bug - it's feature - which can be used imagine how.
WinRAR have option "Lock archive" that is even more restrictive than "Encrypt file names" option - it blocks any modification to contents of archive (add/replace files, change file names). So maybe that could be a worthy option to implement which could solve that problem once and for all.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Based on some reviews stating how 'great' 7-Zip is, I downloaded the tool and started using it.
At first it appealed to me.
But it didn't take long before I ran into several serious bugs in 7-Zip, making this tool lose any value for me.
Therefor I hope the developer(s) of 7-Zip reads this and will take action.
As a 30-years experienced software-designer/-developer I know what I'm talking about.
My plan was to use this tool for grouping files in archives with Strong password protection.
So I created several archives. ....Until following issues (see below) were found.
I expected a Strong password protected archive to be mine, and mine only.
So it should be only ME who should be allowed to add, extract edit or delete files, or someone who I gave the password. It's NOT!
Issue 1: It appears that everybody can delete files from an archive, even if it is "protected" with a strong password.
Just by pressing DELETE!
As I also found in several tickets on this site, this issue is reported some time ago, but still there in the last version.
This makes any archive fully Worthless, as the content is NOT secured!
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 2: It appears that everybody can Add files to a strong password-protected archive, without 7-Zip asking for the password.
This way anybody can corrupt an archive, fill it with rubbish or -even worse- can add his/her file to a wrong archive, delete the original and will never find back where the file was stored.
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 3: As extention to Issue 2: that unintended adding of the file can be read by ANYBODY, added to the strong password-protected archive, without 7-Zip asking for any password. Wrong, wrong, wrong!
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 4: Trying to extract all files from the strong password-protected archive, BUT without giving a password OR giving a wrong password deliberately, caused 7-Zip to extract all files.
This is what Hackers test at first!
Files, added by accident without filling the password-boxes when adding the file to the archive or added on purpose but forgetting to fill the password-boxes, were EXTRACTED fully open and readable for anyone!
“Protected”-files were extracted also, but for those 7-Zip asked for the password. Only files with their filenames were created but with size 0. So meanwhile all filenames were visible, and could inform hackers if the archive would be interesting to explore or not.
ALWAYS (!) 7-Zip should ask for the password, before ANY (!) action is to be performed.
Issue 5: ALL filenames and file-structures are visible to ANYBODY.
Even filenames from other included Zip-files (e.g. from WinZip) are shown.
This way hackers are given a way of deduction for the content of an archive.
There should be an option to ENCRYPT the filenames also.
The basic password-functionality of 7-Zip is wrong, very wrong.
Asking for passwords is lacking or done at the wrong points in the process of creating archives.
I strongly advise the developers to improve this functionality ASAP.
Hope to hear from you.
7-Zip can encrypt file names for 7z archives.
Hello J Schmitz,
If you are create archive with ticked option "Encrypt file names" - then you can't enter archive without password.
There so many peoples who loves 7-zip, but many crying about GUI topics.
Please let's try using command line version, and recompile 7-Zip to Linux and Android.
Yes, as Oleg suggested, all the OP needed to do was to select "also encrypt file names" checkbox, and all the problems he mentioned would be gone.
Plus, I dont' have issue 3 and 4 that the OP has. As said, Issue 1 adn 2, and 5 are not very serious problems, and they can be easily solved by file name encryption checkbox.
Hello J Schmitz.
Note that you can alter/modify/destroy contents of encrypted archive when option "Encrypt file names" is not set but you can't find out orginal content of this files, so in that case encryption works!
You can even change name of file(s) to be same as others, so when unpacking they will overvrite themselves. 7z archive is more restrictive.
Testing that kind of modified archive with properly entered password returns no errors.
The same is with newest WinRAR (5.40) with all wersions of rar and zip archives (you just have to add file(s) when in archive), when option "Encrypt file names" is not set. You can even add file(s) which different password than archive (and when testing you must properly provide chain of passwords to file to achive no errors message). So maybe it's not a bug - it's feature - which can be used imagine how.
WinRAR have option "Lock archive" that is even more restrictive than "Encrypt file names" option - it blocks any modification to contents of archive (add/replace files, change file names). So maybe that could be a worthy option to implement which could solve that problem once and for all.