GNOME Bugzilla – Bug 323534
Passwords improperly escaped for zip files
Last modified: 2005-12-09 09:05:08 UTC
Version details: 2.12.2 [ initial bug report at http://bugs.debian.org/342378 ] When a password is used for zip files, it is made by passing the command "zip -Ppassword" to a shell. However, some characters are improperly escaped. For example, as the user reported, using a $ character leads to "zip -Pfoo$bar", which is translated to "zip -Pfoo" by the shell. Another, more striking example: entering "toto`touch /tmp/grouik`" as a password will actually lead to creating /tmp/grouik. The security implications are obvious. Only *?[] are escaped, according to zip_escape in fr-command-zip.c. That makes at least '`"()$!; missing. I will go further: my feeling is that, for security reasons, all of this should be completely rewritten. Calling a shell is a very bad idea because you have to check the strings for sanity, and you can never be sure a sanity check is perfect. Calling zip -P is a very bad idea as well, as it makes the password viewavable by any other user on the system, using the "ps" command. The zip manual page states it itself: -P password use password to encrypt zipfile entries (if any). THIS IS INSE‐ CURE! Many multi-user operating systems provide ways for any user to see the current command line of any other user; even on stand-alone systems there is always the threat of over-the- shoulder peeking. Storing the plaintext password as part of a command line in an automated script is even worse. Whenever possible, use the non-echoing, interactive prompt to enter pass‐ words.
I think that if you want *real* security you shouldn't use the zip password at all, gnupg is a better solution. This is noted in the file-roller manual too. Fixed the escape issue in current CVS now, thanks.