Can unpack file from encrypted zip with incorrect password

[DiskJunky]

Note: I cannot get correct unencrypted data, the unpacked data is still garbled. This issue is that the unzip logic executes successfully with an incorrect password.

Steps to reproduce

1. Create a small zip file with one text file in it
2. Encrypt the zip file using ZipCrypto algorithm, set password to test
3. Cycle through possible passwords, waiting for a ZipException that does not have a message of "Invalid Password"

A text file was created with the following text as file name Sample.txt (no new line/carriage return)

Some sample text

Zip file was created using 7zip (v22.01) context menu via Windows Explorer. Compression method DEFLATE, compression level "9 - Ultra", password test

Expected behavior

It should only be possible to unpack a file from a zip if the password is correct

Actual behavior

It's possible to go through the unpack steps of extracting a file from an encrypted zip file using an incorrect password, albeit resulting in garbled data in the unpacked file. In sample tested, the zip file was encrypted with password test but was unpackable with password cy. Can provide sample zip file on request.

Unpacking with password cy using other unzipping tools correctly returned an error with the bad password and unpacked correctly with test.

Version of SharpZipLib

1.3.3

Obtained from (only keep the relevant lines)

• Package installed using NuGet

[piksel]

There is a 1/256 chance of an invalid password not being detected, as the CRC that is used to check the password is a single byte: https://p1k.se/appnote.md#s616-decrypting-the-encryption-header

To be clear, this is because of how the zipcrypto format is (intentionally) designed and not something we can do much about. Perhaps there could be parts of the decrypted header that could be sanity checked to catch false positives, but that would still only marginally improve the accuracy.