is_symlink always returns False

As reported by a user on Huntr.com.

The implementation of is_symlink is hard-coded to return False, which could give the false impression that a path is not a symlink, whereafter they may expand the zipfile using a utility that does honor symlinks, exposing access to unwanted paths.

https://github.com/jaraco/zipp/blob/051250eb0e3024d75e7de09921e4efab074f0112/zipp/__init__.py#L392-L396

That code refers to https://github.com/python/cpython/issues/82102, where CPython's zipfile implementation does not have any support for either detecting nor creating nor extracting symlinks.

However, the `Path` object could provide support for reflecting a symlink if present.

According to the vulnerability report, the symlink could be detected from a `ZipInfo` object with the following expression:

```
(info.external_attr >> 16) & 0o170000 == 0o120000
```

I'd like to verify that logic is correct.

	def is_symlink(self):
	"""
	Return whether this path is a symlink. Always false (python/cpython#82102).
	"""
	return False

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

is_symlink always returns False #117

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

is_symlink always returns False #117

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions