search

jaime-olivares / zipstorer

A Pure C# Class to Store Files in Zip
MIT License
183 stars 63 forks source link

ZipStorer.cs - Security and Compatibility Issues and Fixes #53

Open EJocys opened 2 months ago

EJocys commented 2 months ago

Security Issue

Problem: Insecure temporary file creation methods should not be used.

var tempZipName = Path.GetTempFileName();
var tempEntryName = Path.GetTempFileName();

Solution:

var tempFolderPath = Path.GetTempPath();
var tempZipName = Path.Combine(tempFolderPath, Path.GetRandomFileName());
var tempEntryName = Path.Combine(tempFolderPath, Path.GetRandomFileName());

.NET 4.8 Compatibility issue

Problem: CodePagesEncodingProvider is not available in .NET 4.8

    CodePagesEncodingProvider.Instance.GetEncoding(437);
    Encoding.RegisterProvider(CodePagesEncodingProvider.Instance);
    DefaultEncoding = Encoding.GetEncoding(437);

Solution: Use condition to exclude code for .NET 48 build:

#if NET5_0_OR_GREATER
    CodePagesEncodingProvider.Instance.GetEncoding(437);
    Encoding.RegisterProvider(CodePagesEncodingProvider.Instance);
#endif
    DefaultEncoding = Encoding.GetEncoding(437);
jaime-olivares commented 2 months ago

Please see my comment in #52 regarding CP 437 I will incorporate your suggestion about temporary files once the previous is resolved.