Merge pull request #62 from guzba/ryan

0.9.10 add breach mitigation

Author: guzba

src/zippy.nim

@@ -1,5 +1,10 @@
-import zippy/adler32, zippy/common, zippy/crc, zippy/deflate, zippy/gzip,
-    zippy/inflate, zippy/internal
+import zippy/adler32, zippy/common, zippy/crc, zippy/deflate,
+    zippy/gzip, zippy/inflate, zippy/internal
+
+when (NimMajor, NimMinor, NimPatch) >= (1, 6, 0):
+  import std/sysrand
+else:
+  import std/random, std/times
 
 export common
 
@@ -18,6 +23,23 @@ proc compress*(
     result[0] = 31.char
     result[1] = 139.char
     result[2] = 8.char
+    result[3] = (1.uint8 shl 3).char # Set the fname flag
+
+    block: # https://github.com/guzba/zippy/issues/61
+      let htbLen =
+        when (NimMajor, NimMinor, NimPatch) >= (1, 6, 0):
+          var urand: array[1, uint8]
+          if not urandom(urand):
+            raise newException(ZippyError, "Failed to generate random number")
+          (urand[0] mod 26).int
+        else:
+          let now = getTime()
+          var rand = initRand(now.toUnix * 1_000_000_000 + now.nanosecond)
+          (rand.next() mod 26).int # mod the uint first to ensure a positive int
+      # Add up to 26 characters as the gzip header file name
+      for i in 0 ..< htbLen:
+        result.add (97 + i).char
+      result.add '\0'
 
     deflate(result, src, len, level)
 

zippy.nimble

@@ -1,4 +1,4 @@
-version       = "0.10.8"
+version       = "0.10.9"
 author        = "Ryan Oldenburg"
 description   = "Pure Nim implementation of deflate, zlib, gzip and zip."
 license       = "MIT"