search

pixelglow / ZipZap

zip file I/O library for iOS, macOS and tvOS
BSD 2-Clause "Simplified" License
1.22k stars 199 forks source link

Zipperdown security issue (Path traversal symbols not being ignored) #170

Open EthanArbuckle opened 6 years ago

EthanArbuckle commented 6 years ago

Hello,

A security issue has been discovered in another popular Archiving SDK, ZipArchive, which can lead to arbitrary file overwrite. The archive can potentially contain path traversal file names, which can lead to files being written outside of their intended destination. This could potentially lead to RCE under the worst of circumstances (such as overwriting a javascript file that the app is going to execute).

See: https://zipperdown.org/ https://github.com/ZipArchive/ZipArchive/issues/453

ZipArchive is floating the idea of a "secure" unarchiving method that strips out filenames containing path traversal symbols.

Your thoughts?

ethanlim commented 6 years ago

Yeah is it vulnerable?

EthanArbuckle commented 6 years ago

@pixelglow Any Update or feedback?