Merge pull request #62 from guzba/ryan

0.9.10 add breach mitigation
guzba · May 1, 2023 · 8d75e3d · 8d75e3d
2 parents 3b863db + f1fd90b
commit 8d75e3d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/src/zippy.nim b/src/zippy.nim
@@ -1,5 +1,10 @@
-import zippy/adler32, zippy/common, zippy/crc, zippy/deflate, zippy/gzip,
-    zippy/inflate, zippy/internal
+import zippy/adler32, zippy/common, zippy/crc, zippy/deflate,
+    zippy/gzip, zippy/inflate, zippy/internal
+
+when (NimMajor, NimMinor, NimPatch) >= (1, 6, 0):
+  import std/sysrand
+else:
+  import std/random, std/times
 
 export common
 
@@ -18,6 +23,23 @@ proc compress*(
     result[0] = 31.char
     result[1] = 139.char
     result[2] = 8.char
+    result[3] = (1.uint8 shl 3).char # Set the fname flag
+
+    block: # https://github.com/guzba/zippy/issues/61
+      let htbLen =
+        when (NimMajor, NimMinor, NimPatch) >= (1, 6, 0):
+          var urand: array[1, uint8]
+          if not urandom(urand):
+            raise newException(ZippyError, "Failed to generate random number")
+          (urand[0] mod 26).int
+        else:
+          let now = getTime()
+          var rand = initRand(now.toUnix * 1_000_000_000 + now.nanosecond)
+          (rand.next() mod 26).int # mod the uint first to ensure a positive int
+      # Add up to 26 characters as the gzip header file name
+      for i in 0 ..< htbLen:
+        result.add (97 + i).char
+      result.add '\0'
 
     deflate(result, src, len, level)
 

diff --git a/zippy.nimble b/zippy.nimble
@@ -1,4 +1,4 @@
-version       = "0.10.8"
+version       = "0.10.9"
 author        = "Ryan Oldenburg"
 description   = "Pure Nim implementation of deflate, zlib, gzip and zip."
 license       = "MIT"