[Bug 323534] New: Passwords improperly escaped for zip files

file-roller (bugzilla.gnome.org) bugzilla-daemon at bugzilla.gnome.org
Thu Dec 8 10:10:17 UTC 2005 

Do not reply to this via email (we are currently unable to handle email
responses and they get discarded).  You can add comments to this bug at
http://bugzilla.gnome.org/show_bug.cgi?id=323534
 file-roller | general | Ver: 2.12.x

           Summary: Passwords improperly escaped for zip files
           Product: file-roller
           Version: 2.12.x
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: critical
          Priority: Normal
         Component: general
        AssignedTo: paolo.bacchilega at libero.it
        ReportedBy: joss at debian.org
         QAContact: file-roller-qa-maint at gnome.bugs
                CC: pkg-gnome-maintainers at lists.alioth.debian.org,all-
                    bugs at bugzilla.gnome.org


Version details: 2.12.2

[ initial bug report at http://bugs.debian.org/342378 ]

When a password is used for zip files, it is made by passing the command "zip
-Ppassword" to a shell. However, some characters are improperly escaped. For
example, as the user reported, using a $ character leads to "zip -Pfoo$bar",
which is translated to "zip -Pfoo" by the shell.

Another, more striking example: entering "toto`touch /tmp/grouik`" as a password
will actually lead to creating /tmp/grouik. The security implications are
obvious. Only *?[] are escaped, according to zip_escape in fr-command-zip.c.
That makes at least '`"()$!; missing.

I will go further: my feeling is that, for security reasons, all of this should
be completely rewritten. Calling a shell is a very bad idea because you have to
check the strings for sanity, and you can never be sure a sanity check is
perfect. Calling zip -P is a very bad idea as well, as it makes the password
viewavable by any other user on the system, using the "ps" command. The zip
manual page states it itself:
       -P password
              use password to encrypt zipfile entries (if any).  THIS IS INSE‐
              CURE!   Many  multi-user  operating systems provide ways for any
              user to see the current command line of any other user; even  on
              stand-alone  systems  there  is  always  the threat of over-the-
              shoulder peeking.  Storing the plaintext password as part  of  a
              command  line  in  an  automated script is even worse.  Whenever
              possible, use the non-echoing, interactive prompt to enter pass‐
              words.

------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the Pkg-gnome-maintainers mailing list