Plugin ZIP validation doesn't cleanly reject `\` as path separator

[lnicola]

URL

No response

On what type of device(s) did you see this bug?

No response

On which operating system(s) are you seeing the problem?

No response

Other OS

No response

On which browser(s) are you seeing the problem?

No response

Other Browser

No response

Summary

According to the ZIP spec, archive entries must use / and not \:

   4.4.17.1 The name of the file, with optional relative path.
   The path stored MUST NOT contain a drive or
   device letter, or a leading slash.  All slashes
   MUST be forward slashes '/' as opposed to
   backwards slashes '\' for compatibility with Amiga
   and UNIX file systems etc.  If input came from standard
   input, there is no file name field.  

But someone just sent me an archive using the latter:

     6335  01-25-2026 23:53   big_downloader_toolbox\big_downloader_toolbox_plugin.py
     2418  01-25-2026 09:42   big_downloader_toolbox\big_downloader_toolbox_provider.py
   522706  12-05-2025 22:04   big_downloader_toolbox\icon.png
      658  03-09-2026 09:36   big_downloader_toolbox\metadata.txt
     1538  12-05-2025 22:24   big_downloader_toolbox\README.md
       17  01-25-2026 09:18   big_downloader_toolbox\requirements.txt
      307  12-05-2025 23:10   big_downloader_toolbox\__init__.py
    14704  01-25-2026 23:57   big_downloader_toolbox\algorithms\download_batnas.pyc
    16355  01-25-2026 23:57   big_downloader_toolbox\algorithms\download_demnas_pro.pyc
    10254  01-25-2026 23:57   big_downloader_toolbox\algorithms\download_rbi_tool_pro.pyc
    11219  01-25-2026 23:57   big_downloader_toolbox\algorithms\license_guard.pyc
     3793  01-25-2026 23:57   big_downloader_toolbox\algorithms\login_demnas.pyc
       72  12-05-2025 23:12   big_downloader_toolbox\algorithms\__init__.py
   541718  12-05-2025 22:06   big_downloader_toolbox\images\icon_batnas.png
   558574  12-05-2025 22:05   big_downloader_toolbox\images\icon_demnas.png
   391090  12-05-2025 22:05   big_downloader_toolbox\images\icon_login.png
   336159  12-05-2025 22:05   big_downloader_toolbox\images\icon_rbi.png

I suspect this will fail validation at https://github.com/qgis/QGIS-Plugins-Website/blob/769758a/qgis-app/plugins/validator.py#L303, but with a confusing error message.

It wasn't the case here, but Windows disk names should also be rejected.

[Xpirix]

Thanks for reporting this @lnicola.

I couldn't really replicate the issue from my side. I tried with the following plugin structure:

Archive:  output.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  01-01-1980 00:00   test_modul\
        0  01-01-1980 00:00   test_modul\help\
        0  01-01-1980 00:00   test_modul\help\source\
        0  01-01-1980 00:00   test_modul\i18n\
        0  01-01-1980 00:00   test_modul\scripts\
        0  01-01-1980 00:00   test_modul\test\
    18387  02-10-2026 12:18   test_modul\LICENSE
     8149  02-10-2026 12:18   test_modul\Makefile
     1904  02-10-2026 12:18   test_modul\README.html
      950  02-10-2026 12:18   test_modul\README.txt
     1564  02-10-2026 12:18   test_modul\__init__.py
     4626  02-10-2026 12:18   test_modul\help\Makefile
     4126  02-10-2026 12:18   test_modul\help\make.bat
     7041  02-10-2026 12:18   test_modul\help\source\conf.py
      437  02-10-2026 12:18   test_modul\help\source\index.rst
      333  02-10-2026 12:18   test_modul\i18n\af.ts
     1034  02-10-2026 12:18   test_modul\icon.png
      482  02-10-2026 12:18   test_modul\metadata.txt
     2869  02-10-2026 12:18   test_modul\pb_tool.cfg
     3447  02-10-2026 12:18   test_modul\plugin_upload.py
     8798  02-10-2026 12:18   test_modul\pylintrc
      106  02-10-2026 12:18   test_modul\resources.qrc
      251  02-10-2026 12:18   test_modul\scripts\compile-strings.sh
      794  02-10-2026 12:18   test_modul\scripts\run-env-linux.sh
     1401  02-10-2026 12:18   test_modul\scripts\update-strings.sh
      107  02-10-2026 12:18   test_modul\test\__init__.py
     6399  02-10-2026 12:18   test_modul\test\qgis_interface.py
      309  02-10-2026 12:18   test_modul\test\tenbytenraster.asc
      359  02-10-2026 12:18   test_modul\test\tenbytenraster.asc.aux.xml
       22  02-10-2026 12:18   test_modul\test\tenbytenraster.keywords
      589  02-10-2026 12:18   test_modul\test\tenbytenraster.lic
      143  02-10-2026 12:18   test_modul\test\tenbytenraster.prj
     1564  02-10-2026 12:18   test_modul\test\tenbytenraster.qml
     1860  02-10-2026 12:18   test_modul\test\test_init.py
     1886  02-10-2026 12:18   test_modul\test\test_qgis_environment.py
     1024  02-10-2026 12:18   test_modul\test\test_resources.py
     1515  02-10-2026 12:18   test_modul\test\test_test_modul_dialog.py
     1750  02-10-2026 12:18   test_modul\test\test_translations.py
     1802  02-10-2026 12:18   test_modul\test\utilities.py
     6933  02-10-2026 12:18   test_modul\test_modul.py
     2030  02-10-2026 12:18   test_modul\test_modul_dialog.py
     1485  02-10-2026 12:18   test_modul\test_modul_dialog_base.ui
---------                     -------
    96476                     42 files

The validator raised the following error while uploading, so the validator seems to handle the backslashes (even without them for the folders):

[lnicola]

I suspect this will fail validation at https://github.com/qgis/QGIS-Plugins-Website/blob/769758a/qgis-app/plugins/validator.py#L303, but with a confusing error message.

Which is the same message as in your screenshot. A better message would be "your archive does not conform to the ZIP specification, try another archiver". I filed this because a user got confused by this error.

[Xpirix]

Ah, sorry for misunderstanding it. I will submit a fix for it then. Thanks!

[lnicola]

Just that it's a bit hard to detect, since \ is a valid path character. I guess you could detect if there's no folder (the error branch taken now) but all (or at least one) of the entries contain \.

[Xpirix]

I see, thanks for the clarification. I have made a PR for this at #287.