Is fflate supposed to be able to read strange .zip files and guard against surprising behavior? #245
Replies: 1 comment 1 reply
-
|
Thanks for the flag! I don't see any super concerning behavior here from a quick glance. fflate seems to get It gives nonsense output with an empty filename for the second one, but the file is not a valid ZIP per I do think the last case is out of scope and should not be described as a "path traversal vulnerability" because the library does not offer an API to write to disk for you. Anyone who chooses to use the library to write an "unzip" style tool that does write out to disk, and who doesn't want to extract outside the directory they choose, would probably want to do their own sanitization outside Unfortunately I haven't had time to maintain this project as regularly as I'd like for a while but I'll add some docs about this behavior in the next release. Thanks for the report! |
Beta Was this translation helpful? Give feedback.
-
|
thanks for the reply! i will follow up with more details, but i'm taking some time to prepare. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm doing research on unzip implementations and I've found several odd behaviors in fflate that I would call bugs. I'm wondering if the maintainers of this project are interested in fixing corner case behavior or if the focus is really just on performance for the common case?
Here are a few examples of odd zipfiles that produce surprising behavior from the two unzip implementations in fflate:
confusing_1.zip
confusing_2.zip
dangerous_1.zip
That third one contains a path traversal vulnerability, which the maintainers of fflate might consider out of scope. I don't want to tell you how you should design your own software, but if you don't want to guard against this kind of thing, please document that so users know what they're signing up for.
Let me know if you'd like more info.
Beta Was this translation helpful? Give feedback.
All reactions