Report an error if the target overwrites a source file

pfmoore · pfmoore · commit 43210be9e9f8 · 2025-02-24T23:04:23.000Z
diff --git a/Lib/test/test_zipapp.py b/Lib/test/test_zipapp.py
@@ -91,7 +91,7 @@ def skip_pyc_files(path):
 
     def test_create_archive_self_insertion(self):
         # When creating an archive, we shouldn't
-        # include the archive in the lis of files to add.
+        # include the archive in the list of files to add.
         source = self.tmpdir
         (source / '__main__.py').touch()
         (source / 'test.py').touch()
@@ -103,6 +103,16 @@ def test_create_archive_self_insertion(self):
             self.assertIn('__main__.py', z.namelist())
             self.assertIn('test.py', z.namelist())
 
+    def test_target_overwrites_source_file(self):
+        # The target cannot be one of the files to add.
+        source = self.tmpdir
+        (source / '__main__.py').touch()
+        target = source / 'target.pyz'
+        target.touch()
+
+        with self.assertRaises(zipapp.ZipAppError):
+            zipapp.create_archive(source, target)
+
     def test_create_archive_filter_exclude_dir(self):
         # Test packing a directory and using a filter to exclude a
         # subdirectory (ensures that the path supplied to include
diff --git a/Lib/zipapp.py b/Lib/zipapp.py
@@ -135,6 +135,26 @@ def create_archive(source, target=None, interpreter=None, main=None,
     # the target is being created in the source directory - we
     # don't want the target being added to itself
     files_to_add = sorted(source.rglob('*'))
+
+    # The target cannot be in the list of files to add. If it were, we'd
+    # end up overwriting the source file and writing the archive into
+    # itself, which is an error. We therefore check for that case and
+    # provide a helpful message for the user.
+
+    # Note that we only do a simple path equality check. This won't
+    # catch every case, but it will catch the common case where the
+    # source is the CWD and the target is a file in the CWD. More
+    # thorough checks don't provide enough value to justify the extra
+    # cost.
+
+    # https://github.com/python/cpython/issues/104527 tracks making
+    # the zipfile module catch writing an archive to itself at a
+    # lower level, which could help here in cases that our check
+    # doesn't catch.
+    if target in files_to_add:
+        raise ZipAppError(
+            f"The target archive {target} overwrites one of the source files.")
+
     with _maybe_open(target, 'wb') as fd:
         _write_file_prefix(fd, interpreter)
         compression = (zipfile.ZIP_DEFLATED if compressed else
