Red Hat Bugzilla – Bug 175937
zip allows no password deleting from password protected file
Last modified: 2007-11-30 17:11:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Description of problem:
zip allows files to be deleted from password protected zip files without knowing the password.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. create password protected zip file
[thompson@monotheletisia new]$ zip -d infected.zip imgma.jpg
[thompson@monotheletisia new]$ unzip -t infected.zip
[infected.zip] enter1.htm password:
testing: enter1.htm OK
testing: count2.gif OK
No errors detected in compressed data of infected.zip.
I discussed this problem with zip/unzip maintainers.
They write this behavior is right because it is technically trivial to delete
password-protected files from archives. If the removal without password wasn't
allowed someone could change it and it would be worse problem.
That's why upstream does not try to do this operation password-protected, and
lets this operation be this way. Users will be better aware what can be done
password-protected and what can't. I think this is good reason to leave unzip
Thank you for your notice.