is_symlink always returns False #117

jaraco · 2024-05-26T15:24:58Z

As reported by a user on Huntr.com.

The implementation of is_symlink is hard-coded to return False, which could give the false impression that a path is not a symlink, whereafter they may expand the zipfile using a utility that does honor symlinks, exposing access to unwanted paths.

zipp/zipp/__init__.py

Lines 392 to 396 in 051250e

    
               def is_symlink(self): 
        
                   """ 
        
                   Return whether this path is a symlink. Always false (python/cpython#82102). 
        
                   """ 
        
                   return False

That code refers to python/cpython#82102, where CPython's zipfile implementation does not have any support for either detecting nor creating nor extracting symlinks.

However, the Path object could provide support for reflecting a symlink if present.

According to the vulnerability report, the symlink could be detected from a ZipInfo object with the following expression:

(info.external_attr >> 16) & 0o170000 == 0o120000

I'd like to verify that logic is correct.

The text was updated successfully, but these errors were encountered:

jaraco · 2024-05-26T15:26:23Z

It does appear as if stat.S_ISLINK() can be used in place of == 0o120000.

jaraco · 2024-05-26T16:21:12Z

Fix released as v3.19.0.

jaraco self-assigned this May 26, 2024

jaraco closed this as completed in dc5fe8f May 26, 2024

jaraco mentioned this issue May 27, 2024

Implement zipfile.Path.is_symlink python/cpython#119588

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

is_symlink always returns False #117

is_symlink always returns False #117

jaraco commented May 26, 2024

jaraco commented May 26, 2024

jaraco commented May 26, 2024

is_symlink always returns False #117

is_symlink always returns False #117

Comments

jaraco commented May 26, 2024

jaraco commented May 26, 2024

jaraco commented May 26, 2024