[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [office] RE: Directories in Zip packages
OK, I have attached a file that includes a dump analysis of the helloworld-signature.odt file. With luck, it won't be merged with this text. In all of the entries I examined, the external file attribute is always 00 00 00 00. There are no special internal attributes or special flags of any kind that I could see. The only consistent indication I have is that the directory entries always have names ending in "/" and they always have compressed and uncompressed sizes of 0 and there is no compression. Those are the only discriminating features. I am going to see what happens if I actually Zip a directory that has empty directories to see what happens. But for now, all I can say is WTF (Waiting to Fail!) and continue to affirm that directories, however represented in the Zip should not be signed and if one shows up as a file with data later, the META-INF/documentsignatures.xml verifier should probably complain because it was not included in the signature, just as it should complain if some other kind of file shows up. - Dennis PS: When I installed PKZIP, it silently stole the file association for Zip, so I don't have the built-in Windows XP association any longer. Crap!! I am uninstalling it to see if things get back to normal. -----Original Message----- From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] Sent: Sunday, September 26, 2010 16:20 To: 'Hanssens Bart'; 'David LeBlanc'; 'office@lists.oasis-open.org' Cc: 'Cornelis Frank' Subject: RE: [office] RE: Directories in Zip packages My additional analysis follows in a separate note. Here is what I have: 1. Yes, directories/folders can be represented by file entries. I was completely off base about that. I have confirmed that in APPNOTE 6.2.0. But I don't think it happens the way you think in this particular file. I will check the central directory records I reviewed more closely. 2. There is no reason that ODF 1.2 ever needs such things in a package, since the manifest is independent of that stuff. 3. It is not possible to sign a directory/folder entry in the Zip because there is nothing to sign. There is no data in such an entry and there should be no way to insert data in such an entry without it being a file instead of a folder. We'll have to see if that is actually a hole in Zip. (Oddly enough, the 0-length file Configurations2\accelerator\current.xml *has* data, and it is compressed, but the uncompressed size is 0. Fancy that.) - Dennis -----Original Message----- From: Hanssens Bart [mailto:Bart.Hanssens@fedict.be] Sent: Sunday, September 26, 2010 14:13 To: dennis.hamilton@acm.org; 'David LeBlanc'; office@lists.oasis-open.org Cc: Cornelis Frank Subject: [office] RE: Directories in Zip packages - was RE: XAdES support in ODF Dennis, the ZIP appnote (any version, at least since 4.50) says " external file attributes: (4 bytes) The mapping of the external attributes is host-system dependent (see 'version made by'). For MS-DOS, the low order byte is the MS-DOS directory attribute byte. If input came from standard input, this field is set to zero. ... file name: (Variable) The name of the file, with optional relative path. The path stored should not contain a drive or device letter, or a leading slash. All slashes should be forward slashes '/' as opposed to backwards slashes '\' for compatibility with Amiga and UNIX file systems etc. ..." (Winzip probably 'translates' this for viewing purposes) But the real questions are: a) is adding (empty) directories, for whatever reason, allowed per ODF 1.2 spec (since it requires a somewhat special attribute) b) if so, should it be signed (I would say yes) c) in that case, should the ODF spec text "sign every file" be changed in "every entry" (or similar) Best regards Bart ________________________________________ From: Dennis E. Hamilton [dennis.hamilton@acm.org] Sent: Sunday, September 26, 2010 10:48 PM To: Hanssens Bart; 'David LeBlanc'; office@lists.oasis-open.org Cc: Cornelis Frank Subject: Directories in Zip packages - was RE: XAdES support in ODF For further amusement, the attachment is what PKZip for Windows version 12.50.0013 says about helloworld-signed.odt. It seems that my (1-4) below have more evidence to deal with. Re (1), PKWare prefers to show "/" as the segment separator. Re (2), I have no idea at this point whether this is covered in the APPNOTE or an extension Re (3), the observation about no directory entries for Configurations2/, Thumbnails/, etc., also applies to Configuration2//images as well as Configurations2/accelerator. Re (4), the "\" business may be answered. I know where to find a reasonable hex editor. Back soon. - Dennis -----Original Message----- From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] Sent: Sunday, September 26, 2010 13:39 To: 'Hanssens Bart'; 'David LeBlanc'; 'office@lists.oasis-open.org' Cc: 'Cornelis Frank' Subject: RE: [office] RE: XAdES support in ODF I knew I had a command-line Zipper somewhere. Here is what 7zip has to say about that document: 12:57 7-Zip (A) 4.42 Copyright (c) 1999-2006 Igor Pavlov 2006-05-14 12:07:19.34 C:\MyProjects\java\ODMdev> 7za l helloworld-signed.odt Listing archive: helloworld-signed.odt Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------ 2010-09-24 16:49:42 ..... 39 39 mimetype 2010-09-24 16:49:42 ..... 3105 813 content.xml 2010-09-24 16:49:42 ..... 532 243 manifest.rdf 2010-09-24 16:49:42 ..... 10864 1993 styles.xml 2010-09-24 16:49:42 ..... 1247 1247 meta.xml 2010-09-24 16:49:42 ..... 1018 434 Thumbnails\thumbnail.png 2010-09-24 16:49:42 ..... 0 2 Configurations2\accelerator\current.xml 2010-09-24 16:49:42 D.... 0 0 Configurations2\progressbar 2010-09-24 16:49:42 D.... 0 0 Configurations2\floater 2010-09-24 16:49:42 D.... 0 0 Configurations2\popupmenu 2010-09-24 16:49:42 D.... 0 0 Configurations2\menubar 2010-09-24 16:49:42 D.... 0 0 Configurations2\toolbar 2010-09-24 16:49:42 D.... 0 0 Configurations2\images\Bitmaps 2010-09-24 16:49:42 D.... 0 0 Configurations2\statusbar 2010-09-24 16:49:42 ..... 8773 1365 settings.xml 2010-09-24 16:49:42 ..... 1989 344 META-INF\manifest.xml 2010-09-24 18:52:26 ..... 30891 13945 META-INF\documentsignatures.xml ------------------- ----- ------------ ------------ ------------ 58458 20425 17 files Hmm, attributes. So, two things to figure out here. 1. Is it really "\" and I must remember to use that all of the time (which says something about the resolution of relative IRIs inside the package)? 2. What is this attribute business and whose extension of the APPNOTE is that or is it really provided in the APPNOTE. 3. Finally, notice that there is *no* such entry for Thumbnails and META-INF nor for Configurations2 nor Configurations2\accelerator either so one wonders what the point is that there are Zip entries of any form for those Configurations2\... goodies (and their having bogus manifest:media-type values in the manifest.xml markup). 4. Finally still, I have no idea how much of the way these names are expressed is being done by the utility versus what is in the file (e.g., WinZip showed "\" on the ends, 7-zip shows "D" in some sort of attribute display). I'm still looking for a decent hex editor. I think, without fear of contradiction, however, that there is no way to reflect those D-attribute thingies in the DSig, and we should not want there to be. An external signature on the entire package would include whatever that is, but we're not going there, it seems to me. And finally, it seems like OIC Appnote time, aye? - Dennis -----Original Message----- From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] Sent: Sunday, September 26, 2010 11:30 To: 'Hanssens Bart'; 'David LeBlanc'; office@lists.oasis-open.org Cc: 'Cornelis Frank' Subject: RE: [office] RE: XAdES support in ODF So, please capture the output of the unzip -l helloword-signed.odt and send me the text file, since I can't duplicate that on my equipment. Oh wait, I got it. There are [bogus?] entries in the global directory at the end of the file that have no files in the Zip package itself. They all happen to have names ending in "\" according to WinZip, which I find passing strange since I thought the separator in Zip is "/" so I am not sure how much is literally the case or I have been using the wrong character all of this time. I've included a PNG of what WinZip says is in the file, in the order in which the content appears in the file. If I perform the Winzip integrity test on the file, here is the report I get: No errors detected in compressed data of \\Whs\Users\orcmid\docs\associazione\standards\OASIS\ODF\Development\hellowo rld-signed.odt. Testing ... testing: mimetype OK testing: content.xml OK testing: manifest.rdf OK testing: styles.xml OK testing: meta.xml OK testing: Thumbnails\thumbnail.png OK testing: Configurations2\accelerator\current.xml OK testing: Configurations2\progressbar\ OK testing: Configurations2\floater\ OK testing: Configurations2\popupmenu\ OK testing: Configurations2\menubar\ OK testing: Configurations2\toolbar\ OK testing: Configurations2\images\Bitmaps\ OK testing: Configurations2\statusbar\ OK testing: settings.xml OK testing: META-INF\manifest.xml OK testing: META-INF\documentsignatures.xml OK I need to dig up a decent hex editor and see what is really going on in this file. I'll follow-up after I have done that. -----Original Message----- From: Hanssens Bart [mailto:Bart.Hanssens@fedict.be] Sent: Sunday, September 26, 2010 02:30 To: dennis.hamilton@acm.org; 'David LeBlanc'; office@lists.oasis-open.org Cc: Cornelis Frank Subject: RE: [office] RE: XAdES support in ODF Dennis, I use command line unzip 6.0 (ubuntu) which is based upon info-zip's code. (unzip -l hello.. just lists the entries in the packages, without unzipping to the file system) Or, use hexdump and look at the end of the zip :-) Which makes sense, because one can also zip (outside ODF context) empty directories, and they get stored as well (probably with some flag that says "this might be a directory", then we must check if it is allowed to do so within ODF, because the ODF packaging is more restrictive about this) Bart [ ... ] --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
Here is the first file block in the signed package. This is the mimetype item. helloworld-signed.odt │ F1 Help │ Col 0 Line 1 0% 0000 0000 50 4b 03 04 0a 00 00 00 00 00 35 86 38 3d 5e c6 PK♥♦......5å8=^╞ 0000 0010 32 0c 27 00 00 00 27 00 00 00 08 00 00 00 6d 69 2.'...'...◘...mi 0000 0020 6d 65 74 79 70 65 61 70 70 6c 69 63 61 74 69 6f metypeapplicatio 0000 0030 6e 2f 76 6e 64 2e 6f 61 73 69 73 2e 6f 70 65 6e n/vnd.oasis.open 0000 0040 64 6f 63 75 6d 65 6e 74 2e 74 65 78 74 50 4b 03 document.textPK♥ The central directory record for this file is 0000 5380 50 4b PK 0000 5390 01 02 0a 00 0a 00 00 00 00 00 35 86 38 3d 5e c6 ☺☻........5å8=^╞ 0000 53a0 32 0c 27 00 00 00 27 00 00 00 08 00 00 00 00 00 2.'...'...◘..... 0000 53b0 00 00 00 00 00 00 00 00 00 00 00 00 6d 69 6d 65 ............mime 0000 53c0 74 79 70 65 type Which says it is made by a version 1.0 product that is MS-DOS/OS-2 compatible and requires a version 1.0 to extract and provides nothing new of interest. There are no internal or external file attributes flagged. As I scroll through the file, the successive file items are content.xml manifest.rdf styles.xml meta.xml (hmm, not compressed - interesting) Thumbnails/thumbnail.png (yes, it is "/"!) And then there is this: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Configurations2/accelerator/current.xml And that has this Zip entry: 0000 13c0 50 4b PK 0000 13d0 03 04 14 00 00 00 08 00 35 86 38 3d 00 00 00 00 ♥♦¶...◘.5å8=.... 0000 13e0 02 00 00 00 00 00 00 00 27 00 00 00 43 6f 6e 66 ☻.......'...Conf 0000 13f0 69 67 75 72 61 74 69 6f 6e 73 32 2f 61 63 63 65 igurations2/acce 0000 1400 6c 65 72 61 74 6f 72 2f 63 75 72 72 65 6e 74 2e lerator/current. 0000 1410 78 6d 6c 03 00 xml♥. Here's what is interesting about this one: 13d3 14 00 (20: version 2.0 needed to extract, because Deflate is used) but, uh, it's not) 13d7 08 00 (compression method 8 = Deflated) 13e0 02 00 00 00 (compressed size is 2) 13e4 00 00 00 00 (compressed size is 0) 1413 03 00 (the bytes of the compressed data) The central directory entry for this 0000 54e0 50 4b 01 02 14 PK☺☻¶ 0000 54f0 00 14 00 00 00 08 00 35 86 38 3d 00 00 00 00 02 .¶...◘.5å8=....☻ 0000 5500 00 00 00 00 00 00 00 27 00 00 00 00 00 00 00 00 .......'........ 0000 5510 00 00 00 00 00 ce 13 00 00 43 6f 6e 66 69 67 75 .....╬‼..Configu 0000 5520 72 61 74 69 6f 6e 73 32 2f 61 63 63 65 6c 65 72 rations2/acceler 0000 5530 61 74 6f 72 2f 63 75 72 72 65 6e 74 2e 78 6d 6c ator/current.xml which has that version 2.0 MS-DOS/OS-2 compatible application was used to create this as well as required to extract. There are no internal or external file attributes set (i.e., the MS-DOS attribute byte is 0). Configurations2/progressbar/ (with no data) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Here's the Zip file entry for that: 0000 1410 78 6d 6c 03 00 50 4b 03 04 0a 00 00 00 00 00 35 PK♥♦......5 0000 1420 86 38 3d 00 00 00 00 00 00 00 00 00 00 00 00 1c å8=............∟ 0000 1430 00 00 00 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e ...Configuration 0000 1440 73 32 2f 70 72 6f 67 72 65 73 73 62 61 72 2f s2/progressbar/ Here's the break down of the "local file header" and the file data (there is none) starting at offset 0000 1415: 1415 50 4b 03 04 (ASCII "PK" followed by short 0x0403) 1419 0a 00 (10: version 1.0 needed to extract - default) 141B 00 00 (general purpose bit flags) 141D 00 00 (compression method 0) 141F 35 86 (last mod file time) 1421 38 3d (last mod file date) 1423 00 00 00 00 (crc-32) 1427 00 00 00 00 (compressed size) 142B 00 00 00 00 (uncompressed size) 142F 1c 00 (file name length 28) 1431 00 00 (extra field length) 1433 "Configurations2/progressbar/" (28-byte file name) 144F start of the next item, since there is no data following the file name. The central directory entry for this file is as follows: 0000 5540 50 4b 01 02 0a 00 0a 00 00 00 00 00 35 86 38 3d PK☺☻........5å8= 0000 5550 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 ............∟... 0000 5560 00 00 00 00 00 00 00 00 00 00 15 14 00 00 43 6f ..........§¶..Co 0000 5570 6e 66 69 67 75 72 61 74 69 6f 6e 73 32 2f 70 72 nfigurations2/pr 0000 5580 6f 67 72 65 73 73 62 61 72 2f ogressbar/ Again, this is allegedly written in a version 1.0 MS-DOS/OS-2 compatible way and extraction (to a file system) requires compatible treatment. There are no internal or external attribute flags set. IF THIS IS RECOGNIZED AS A DIRECTORY, IT IS NOT BECAUSE OF THE ANY ATTRIBUTE SETTINGS. IT MIGHT BE BECAUSE OF THE "/" ENDING THE NAME, IT MAY BE BECAUSE IT IS 0-uncompressed and compressed, it might be some other provision not explained in APPNOTE 6.2.0.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]