From b0306318f132de497597e05a20127ff6df33d89e Mon Sep 17 00:00:00 2001 From: Alexander Zaitsev Date: Fri, 25 Mar 2022 17:13:19 +0300 Subject: [PATCH] docs: add a note about password handling --- src/read.rs | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/read.rs b/src/read.rs index 01fbfe0e..233c96e7 100644 --- a/src/read.rs +++ b/src/read.rs @@ -500,12 +500,18 @@ impl ZipArchive { } /// Search for a file entry by name, decrypt with given password - /// + /// /// # Warning - /// + /// /// The implementation of the cryptographic algorithms has not /// gone through a correctness review, and you should assume it is insecure: /// passwords used with this API may be compromised. + /// + /// This function sometimes accepts wrong password. This is because the ZIP spec only allows us + /// to check for a 1/256 chance that the password is correct. + /// There are many passwords out there that will also pass the validity checks + /// we are able to perform. This is a weakness of the ZipCrypto algorithm, + /// due to its fairly primitive approach to cryptography. pub fn by_name_decrypt<'a>( &'a mut self, name: &str, @@ -534,12 +540,18 @@ impl ZipArchive { } /// Get a contained file by index, decrypt with given password - /// + /// /// # Warning - /// + /// /// The implementation of the cryptographic algorithms has not /// gone through a correctness review, and you should assume it is insecure: /// passwords used with this API may be compromised. + /// + /// This function sometimes accepts wrong password. This is because the ZIP spec only allows us + /// to check for a 1/256 chance that the password is correct. + /// There are many passwords out there that will also pass the validity checks + /// we are able to perform. This is a weakness of the ZipCrypto algorithm, + /// due to its fairly primitive approach to cryptography. pub fn by_index_decrypt<'a>( &'a mut self, file_number: usize,