Files within encrypted zip are visible even with wrong password

gildas-lormeau / zip.js

JavaScript library to zip and unzip files supporting multi-core compression, compression streams, zip64, split files and encryption.

https://gildas-lormeau.github.io/zip.js

BSD 3-Clause "New" or "Revised" License

3.38k stars 510 forks source link

Files within encrypted zip are visible even with wrong password #415

Closed trock-broadinst closed 1 year ago

trock-broadinst commented 1 year ago

I was recently experimenting with the password-encrypted winzip aes funcitonality this library provides, however I've noticed that even when the wrong password is provided, the files within the zip can still be seen. Aside from zipping the files, then externally encrypting the resulting blob, is there any way to prevent the zip filestructure from being read by unauthenticated openers?

gildas-lormeau commented 1 year ago

You want what is called "Central Directory Encryption" which is patented, see https://stackoverflow.com/questions/58394110/pkware-zip-central-directory-encryption. That's why it's not implemented in open-source libraries.

trock-broadinst commented 1 year ago

hah! that's real rich, thanks for the prompt response, let's hope the patent expires soon

gildas-lormeau commented 1 year ago

You're welcome, I hope indeed that zip.js will still be maintained when it expires ;)