Zip files..

[iago]

Is it possible to have a zip file where something is in the folder, "../" or "../../" , etc.?  I don't know much about how folders work on zips, and I don't really want to read through the standard (but I will if i have to), but I need to find this out to tackle a potential security risk.

Thanks.

[Yoni]

Sounds unlikely. What if you extract to the root directory?

[Adron]

Yes, you can have such zip files, but most zip extractors strip those off. Some haven't always done it, and that has been considered an exploitable security vulnerability and posted to bugtraq about.

edit:

Code Select Expand


      -:     [all but Acorn,  VM/CMS,  MVS,  Tandem]  allows  to
             extract  archive  members into locations outside of
             the current `` extraction root folder''. For  secu­
             rity reasons, unzip normally removes ``parent dir''
             path  components  (``../'')  from  the   names   of
             extracted  file.  This safety feature (new for ver­
             sion 5.50) prevents unzip from accidentally writing
             files  to  ``sensitive''  areas  outside the active
             extraction folder tree head.  The  -:  option  lets
             unzip  switch  back  to  its previous, more liberal
             behaviour, to allow  exact  extraction  of  (older)
             archives  that  used  ``../''  components to create
             multiple directory trees at the level of  the  cur­
             rent  extraction  folder.   Use  of  this  will not
             enable writing explicitly  to  the  root  directory
             (``/'').   To do this, it is necessary to unzip the
             file from within the root directory  itself.   How­
             ever,  when the -: option is specified, it is still
             possible to write to implicitly write to  the  root
             directory by specifiying enough ``../'' path compo­
             nents within the zip file.  Use  this  option  with
             extreme caution.