Is it possible to have a zip file where something is in the folder, "../" or "../../" , etc.? I don't know much about how folders work on zips, and I don't really want to read through the standard (but I will if i have to), but I need to find this out to tackle a potential security risk.
Thanks.
Sounds unlikely. What if you extract to the root directory?
Yes, you can have such zip files, but most zip extractors strip those off. Some haven't always done it, and that has been considered an exploitable security vulnerability and posted to bugtraq about.
edit:
Quote
-: [all but Acorn, VM/CMS, MVS, Tandem] allows to
extract archive members into locations outside of
the current `` extraction root folder''. For secu
rity reasons, unzip normally removes ``parent dir''
path components (``../'') from the names of
extracted file. This safety feature (new for ver
sion 5.50) prevents unzip from accidentally writing
files to ``sensitive'' areas outside the active
extraction folder tree head. The -: option lets
unzip switch back to its previous, more liberal
behaviour, to allow exact extraction of (older)
archives that used ``../'' components to create
multiple directory trees at the level of the cur
rent extraction folder. Use of this will not
enable writing explicitly to the root directory
(``/''). To do this, it is necessary to unzip the
file from within the root directory itself. How
ever, when the -: option is specified, it is still
possible to write to implicitly write to the root
directory by specifiying enough ``../'' path compo
nents within the zip file. Use this option with
extreme caution.