Skip to content

zipfile.extractall never restores stored Unix permissions #149839

Open
Open
zipfile.extractall never restores stored Unix permissions#149839
Labels
stdlibStandard Library Python modules in the Lib/ directorytype-featureA feature request or enhancement
@KowalskiThomas

Description

@KowalskiThomas
KowalskiThomas
opened on May 14, 2026

Bug report

Bug description:

ZipInfo.from_file stores the source file's Unix permissions in external_attr, but ZipFile._extract_member never reads them back. Extracted files are created with open(targetpath, "wb"), which applies the process umask (typically 0o644). (And there isn't an os.chmod afterwards.)

This means a zip archive containing a file at 0o600 will extract it world-readable. tarfile for example on the other hand does apply those attributes after extracting; zipfile silently discards the permission metadata it recorded.

This could be fixed by applying the stored mode after writing:

with self.open(member, pwd=pwd) as source, open(targetpath, "wb") as target:
    shutil.copyfileobj(source, target)

attr = member.external_attr >> 16
if attr:
    os.chmod(targetpath, attr)

Note that this isn't perfect either, as this leaves window of exposure (similar to what was reported in #96719), but it is a different bug (permissions restored after a while vs. permissions not reset at all).

I have this branch which updates it (with a regression test on top).

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    stdlibStandard Library Python modules in the Lib/ directorytype-featureA feature request or enhancement

    Projects

    Zipfile issues

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions