Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zipperdown security issue (Path traversal symbols not being ignored) #170

Open
EthanArbuckle opened this issue May 18, 2018 · 2 comments
Open

Zipperdown security issue (Path traversal symbols not being ignored) #170

EthanArbuckle opened this issue May 18, 2018 · 2 comments

Comments

@EthanArbuckle
Copy link

Hello,

A security issue has been discovered in another popular Archiving SDK, ZipArchive, which can lead to arbitrary file overwrite. The archive can potentially contain path traversal file names, which can lead to files being written outside of their intended destination. This could potentially lead to RCE under the worst of circumstances (such as overwriting a javascript file that the app is going to execute).

See:
https://zipperdown.org/
ZipArchive/ZipArchive#453

ZipArchive is floating the idea of a "secure" unarchiving method that strips out filenames containing path traversal symbols.

Your thoughts?
@ethanlim
Copy link

Yeah is it vulnerable?

@EthanArbuckle EthanArbuckle mentioned this issue Jun 1, 2018
Open
@EthanArbuckle
Copy link
Author

@pixelglow Any Update or feedback?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ethanlim @EthanArbuckle