search

haf / DotNetZip.Semverd

Please use System.IO.Compression! A fork of the DotNetZip project without signing with a solution that compiles cleanly. This project aims to follow semver to avoid versioning conflicts. DotNetZip is a FAST, FREE class library and toolset for manipulating zip files. Use VB, C# or any .NET language to easily create, extract, or update zip files.
Other
550 stars 235 forks source link

issue with pkzip weak encryption #266

Open ArnaudDebaene opened 2 years ago

ArnaudDebaene commented 2 years ago

Hello,

Using Dotnetzip 1.16 from nuget with .Net core sample app, I run into an issue with PkzipWeak encryption:

Using the following simple test:

private static void Main(string[] args)
{
    using (var zipFile = new ZipFile())
    {
        var entry = zipFile.AddEntry("dummy.bin", (nameof, stream) =>
        {
            var r = new Random();
            var buffer = new byte[40960];
            r.NextBytes(buffer);
            stream.Write(buffer);
        });
        entry.Encryption = EncryptionAlgorithm.PkzipWeak;
        entry.Password = "pwd12345";
        zipFile.Save("testzip.zip");
    }

    var check = ZipFile.CheckZipPassword("testzip.zip", "pwd12345");
}

The verification of the file with CheckWithPassword fails. I also checked with several tools (Z-zip, Windows Explorer,...) that the generated file is indeed incorrect (or at least cannot be dezipped with specified password). When using Aes128 or Aes256 for encryption method, the test succeeds....

What gives? I must be missing something obvious here...

Thank you!

jshergal commented 1 year ago

Thanks for reporting this bug/problem, and sorry about the delay in getting back to you. This is a self-service repository, where we merge PRs and where the merging of PRs causes nugets to be pushed automatically (if you bump the version number in your PR). I'll leave this issue open until someone (or yourself) fixes it.