Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
yauzl - npm Package Compare versions
Comparing version 1.1.0 to 1.1.1
33
index.js
@@ -80,3 +80,3 @@ var fs = require("fs"); | ||
| var comment = bufferToString(eocdrBuffer, 22, eocdrBuffer.length, false); | ||
| return callback(null, new ZipFile(fd, cdOffset, entryCount, comment, options.autoClose)); | ||
| return callback(null, new ZipFile(fd, cdOffset, stats.size, entryCount, comment, options.autoClose)); | ||
| } | ||
@@ -89,3 +89,3 @@ callback(new Error("end of central directory record signature not found")); | ||
| util.inherits(ZipFile, EventEmitter); | ||
| function ZipFile(fd, cdOffset, entryCount, comment, autoClose) { | ||
| function ZipFile(fd, cdOffset, fileSize, entryCount, comment, autoClose) { | ||
| var self = this; | ||
@@ -104,2 +104,3 @@ EventEmitter.call(self); | ||
| self.readEntryCursor = cdOffset; | ||
| self.fileSize = fileSize; | ||
| self.entryCount = entryCount; | ||
@@ -176,3 +177,7 @@ self.comment = comment; | ||
| var isUtf8 = entry.generalPurposeBitFlag & 0x800 | ||
| entry.fileName = bufferToString(buffer, 0, entry.fileNameLength); | ||
| try { | ||
| entry.fileName = bufferToString(buffer, 0, entry.fileNameLength, isUtf8); | ||
| } catch (e) { | ||
| return emitErrorAndAutoClose(self, e); | ||
| } | ||
@@ -199,3 +204,7 @@ // 46+n - Extra field | ||
| // 46+n+m - File comment | ||
| entry.fileComment = bufferToString(buffer, fileCommentStart, fileCommentStart + entry.fileCommentLength); | ||
| try { | ||
| entry.fileComment = bufferToString(buffer, fileCommentStart, fileCommentStart + entry.fileCommentLength, isUtf8); | ||
| } catch (e) { | ||
| return emitErrorAndAutoClose(self, e); | ||
| } | ||
@@ -207,3 +216,4 @@ self.readEntryCursor += buffer.length; | ||
| if (entry.fileName.indexOf("\\") !== -1) return emitErrorAndAutoClose(self, new Error("invalid characters in fileName: " + entry.fileName)); | ||
| if (/^[a-zA-Z]:/.exec(entry.fileName) || /^\//.exec(entry.fileName)) return emitErrorAndAutoClose(self, new Error("absolute path: " + entry.fileName)); | ||
| if (/^[a-zA-Z]:/.test(entry.fileName) || /^\//.test(entry.fileName)) return emitErrorAndAutoClose(self, new Error("absolute path: " + entry.fileName)); | ||
| if (entry.fileName.split("/").indexOf("..") !== -1) return emitErrorAndAutoClose(self, new Error("invalid relative path: " + entry.fileName)); | ||
| self.emit("entry", entry); | ||
@@ -254,2 +264,11 @@ readEntries(self); | ||
| var fileDataEnd = fileDataStart + entry.compressedSize; | ||
| if (entry.compressedSize !== 0) { | ||
| // bounds check now, because the read streams will probably not complain loud enough. | ||
| // since we're dealing with an unsigned offset plus an unsigned size, | ||
| // we only have 1 thing to check for. | ||
| if (fileDataEnd > self.fileSize) { | ||
| return callback(new Error("file data overflows file bounds: " + | ||
| fileDataStart + " + " + entry.compressedSize + " > " + self.fileSize)); | ||
| } | ||
| } | ||
| var stream = self.fdSlicer.createReadStream({start: fileDataStart, end: fileDataEnd}); | ||
@@ -289,3 +308,3 @@ if (filterStream != null) { | ||
| if (bytesRead < length) return callback(new Error("unexpected EOF")); | ||
| callback(null, buffer); | ||
| callback(); | ||
| }); | ||
@@ -297,3 +316,3 @@ } | ||
| if (bytesRead < length) return callback(new Error("unexpected EOF")); | ||
| callback(null, buffer); | ||
| callback(); | ||
| }); | ||
@@ -300,0 +319,0 @@ } |
| { | ||
| "name": "yauzl", | ||
| "version": "1.1.0", | ||
| "version": "1.1.1", | ||
| "description": "yet another unzip library for node", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -14,2 +14,7 @@ # yauzl | ||
| Don't attempt to buffer entire files in RAM at once. | ||
| * Never crash (if used properly). | ||
| Don't let malformed zip files bring down client applications who are trying to catch errors. | ||
| * Catch unsafe filenames entries. | ||
| A zip file entry throws an error if its file name starts with `"/"` or `/[A-Za-z]:\//` | ||
| or if it contains `".."` path segments or `"\\"` (per the spec). | ||
@@ -25,3 +30,3 @@ ## Usage | ||
| zipfile.on("entry", function(entry) { | ||
| if (/\/$/.exec(entry.fileName)) { | ||
| if (/\/$/.test(entry.fileName)) { | ||
| // directory file names end with '/' | ||
@@ -159,2 +164,5 @@ return; | ||
| If `fileName` would contain unsafe characters, such as an absolute path or | ||
| a relative directory, yauzl emits an error instead of an entry. | ||
| #### extraFields | ||
@@ -178,2 +186,12 @@ | ||
| ## How to Avoid Crashing | ||
| When a malformed zipfile is encountered, the default behavior is to crash (throw an exception). | ||
| If you want to handle errors more gracefully than this, | ||
| be sure to do the following: | ||
| * Provide `callback` parameters where they are allowed, and check the `err` parameter. | ||
| * Attach a listener for the `error` event on any `ZipFile` object you get from `open` or `fopen`. | ||
| * Attach a listener for the `error` event on any stream you get from `openReadStream`. | ||
| ## Limitations | ||
@@ -180,0 +198,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by8.51%
22906
- Lines of code
- increased by6.74%
301
- Number of lines in readme file
- increased by7.53%
257
No dependency changes