zipinfo executable permission mystery
Closed this issue · 2 comments
obfusk commented
For some reason, the original zipinfo
marks files named META-INF/services/io.jsonwebtoken.CompressionCodec
as executable.
I have no idea why, since there are no metadata differences that would explain this.
So I'm assuming it's an odd bug in the original, not in the Python version in this repo.
I've seen this with several different APK files, and it's always the same filename, never any other file.
@@ -95,7 +95,7 @@
-rw---- 2.4 fat 5 b- 5 stor 81-Jan-01 01:01 META-INF/kotlinx_coroutines_core.version
-rw---- 2.4 fat 39 b- 39 stor 81-Jan-01 01:01 META-INF/services/com.fasterxml.jackson.core.JsonFactory
-rw---- 2.4 fat 44 b- 44 stor 81-Jan-01 01:01 META-INF/services/com.fasterxml.jackson.core.ObjectCodec
--rwx--- 2.4 fat 110 b- 60 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.CompressionCodec
+-rw---- 2.4 fat 110 b- 60 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.CompressionCodec
-rw---- 2.4 fat 46 b- 42 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.io.Deserializer
-rw---- 2.4 fat 44 b- 40 defN 81-Jan-01 01:01 META-INF/services/io.jsonwebtoken.io.Serializer
-rw---- 2.4 fat 112 b- 57 defN 81-Jan-01 01:01 META-INF/services/java.security.Provider
obfusk commented
So I'm assuming it's an odd bug in the original
And indeed it is, since the extension .CompressionCodec
starts with .com
.
https://sources.debian.org/src/unzip/6.0-27/zipinfo.c/#L2086
if (STRNICMP(p, "com", 3) == 0 ||
STRNICMP(p, "exe", 3) == 0 ||
STRNICMP(p, "btm", 3) == 0 ||
STRNICMP(p, "cmd", 3) == 0 ||
STRNICMP(p, "bat", 3) == 0)
attribs[3] = 'x';
obfusk commented
Found another example:
-rwx--- 2.0 fat 0 b- 0 stor 23-Jan-24 22:31 META-INF/maven/org.apache.commons/
-rwx--- 2.0 fat 0 b- 0 stor 23-Jan-24 22:31 META-INF/maven/org.apache.commons/commons-lang3/