From b04e434ad4298bfa12e30d941562fbea7539b500 Mon Sep 17 00:00:00 2001
From: Kurt Neufeld <kneufeld@burgundywall.com>
Date: Fri, 3 Jun 2016 12:08:42 -0700
Subject: [PATCH] restore file permissions when extracting zipfile

---
 src/wormhole/cli/cmd_receive.py | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/wormhole/cli/cmd_receive.py b/src/wormhole/cli/cmd_receive.py
index d421c5c..239ef61 100644
--- a/src/wormhole/cli/cmd_receive.py
+++ b/src/wormhole/cli/cmd_receive.py
@@ -285,14 +285,24 @@ class TwistedReceiver:
                   os.path.basename(self.abs_destname))
 
     def _write_directory(self, f):
+        def extract_file( zf, info, extract_dir ):
+            """
+            the zipfile module does not restore file permissions
+            so we'll do it manually
+            """
+            zf.extract( info.filename, path=extract_dir )
+
+            # not sure why zipfiles store the perms 16 bits away but they do
+            perm = info.external_attr >> 16L
+            out_path = os.path.join( extract_dir, info.filename )
+            os.chmod( out_path, perm )
+
         self._msg(u"Unpacking zipfile..")
         with self.args.timing.add("unpack zip"):
             with zipfile.ZipFile(f, "r", zipfile.ZIP_DEFLATED) as zf:
-                zf.extractall(path=self.abs_destname)
-                # extractall() appears to offer some protection against
-                # malicious pathnames. For example, "/tmp/oops" and
-                # "../tmp/oops" both do the same thing as the (safe)
-                # "tmp/oops".
+                for info in zf.infolist():
+                    extract_file( zf, info, self.abs_destname )
+
             self._msg(u"Received files written to %s/" %
                       os.path.basename(self.abs_destname))
             f.close()