Subject: Files can be replace/add/delete from password protected ZIP file when encryption is set to None
Date: 2021-06-29 19:22:25
From: Belinda van
Source: files-can-replace-add-delete-password-protected-zip-file-encryption-set-none

Application is relying on the commercial product “ComponentPro ZIP” to create the compressed ZIP file and make it password protected. As per analysis, this issue is only occurring when the final ZIP file has few files without password. We had requirement, to keep few files without password protection.
It has been observed that, when all the files within compressed ZIP file are password protected and and encryption is set to none then files within ZIP cannot be replaced using any other third-party tool like WinZip or 7zip.  And even password protection works fine when user tries to extract the content of ZIP file.
However, when any file is added without password protection and encryption is set to none while creating compressed ZIP file then files within ZIP can be replace/add/remove using tools like WinZip or 7zip. User can open the compressed ZIP file with WinZip OR 7zip then they are able to drag the new file in password protected ZIP file and file will get replaced/added.

 1. How can we fix this issue by creating password protected compressed zip file, having few files without password protection in it?
 2. What's the relevance of EncryptionAlgorithm property in Ultimate ZIP ? Can we use it to fix the issue ?

Reference: Current implementation how application is creating ZIP file

            var zipDestPath = @"c:\dest";
            using (Zip zip = new Zip())
                zip.EncryptionAlgorithm = EncryptionAlgorithm.None;
                zip.AddFiles(@"c:\src\testWithoutPwd.doc"); //file without password protection
                zip.Password = "Password123";
                zip.AddFiles(@"c:\src\html", "html"); //directory with password protection
                zip.AddFiles(@"c:\src\test1.xml", "xml"); //file with password protection
                if (File.Exists(@"c:\src\test2.doc"))
                    zip.AddFiles(@"c:\src\test2.doc", ""); //file with password protection


Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index