| Author | Message | Time |
|---|---|---|
| iago | Is it possible to have a zip file where something is in the folder, "../" or "../../" , etc.? I don't know much about how folders work on zips, and I don't really want to read through the standard (but I will if i have to), but I need to find this out to tackle a potential security risk. Thanks. | March 17, 2004, 7:33 PM |
| Yoni | Sounds unlikely. What if you extract to the root directory? | March 17, 2004, 8:13 PM |
| Adron | Yes, you can have such zip files, but most zip extractors strip those off. Some haven't always done it, and that has been considered an exploitable security vulnerability and posted to bugtraq about. edit: [quote][code] -: [all but Acorn, VM/CMS, MVS, Tandem] allows to extract archive members into locations outside of the current `` extraction root folder''. For secu rity reasons, unzip normally removes ``parent dir'' path components (``../'') from the names of extracted file. This safety feature (new for ver sion 5.50) prevents unzip from accidentally writing files to ``sensitive'' areas outside the active extraction folder tree head. The -: option lets unzip switch back to its previous, more liberal behaviour, to allow exact extraction of (older) archives that used ``../'' components to create multiple directory trees at the level of the cur rent extraction folder. Use of this will not enable writing explicitly to the root directory (``/''). To do this, it is necessary to unzip the file from within the root directory itself. How ever, when the -: option is specified, it is still possible to write to implicitly write to the root directory by specifiying enough ``../'' path compo nents within the zip file. Use this option with extreme caution. [/code][/quote] | March 17, 2004, 8:54 PM |