Zipperdown security issue (Path traversal symbols not being ignored)

[EthanArbuckle]

Hello,

A security issue has been discovered in another popular Archiving SDK, ZipArchive, which can lead to arbitrary file overwrite. The archive can potentially contain path traversal file names, which can lead to files being written outside of their intended destination. This could potentially lead to RCE under the worst of circumstances (such as overwriting a javascript file that the app is going to execute).

See:
https://zipperdown.org/
ZipArchive/ZipArchive#453

ZipArchive is floating the idea of a "secure" unarchiving method that strips out filenames containing path traversal symbols.

Your thoughts?

[ethanlim]

Yeah is it vulnerable?

[EthanArbuckle]

@pixelglow Any Update or feedback?