This is a follow up of the previous issue report, we noticed that when archive tries to parse the filename from the zip header, it only considers the filename from the Local File Header and does not match it against Central Directory Entry filename, this can pose a security risk as the Local File Header can be easily spoofed which leads to inconsistency in filename of the entries before and after extraction, below is a demo where we crafted a zip file with a spoofed Local File Header and tried extracting it using your package.
crafted zip file (poc.zip) binary content
zip file before extraction (the file inside appears as evil.txt)
zip file after extraction (the file now appears as evil.apk)
Hi,
This is a follow up of the previous issue report, we noticed that when
archive
tries to parse the filename from the zip header, it only considers the filename from theLocal File Header
and does not match it againstCentral Directory Entry
filename, this can pose a security risk as theLocal File Header
can be easily spoofed which leads to inconsistency in filename of the entries before and after extraction, below is a demo where we crafted a zip file with a spoofedLocal File Header
and tried extracting it using your package.crafted zip file (poc.zip) binary content
zip file before extraction (the file inside appears as evil.txt)
zip file after extraction (the file now appears as evil.apk)