https://bugzilla.wikimedia.org/show_bug.cgi?id=24230
--- Comment #4 from Tim Starling <[email protected]> 2011-02-07 01:21:21 UTC --- (In reply to comment #1) > The relevant detection code is at > http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Core/Collections-Jar-Zip-Logging-regex/java/util/jar/JarFile.java.htm > > Shortly, it checks for META-INF/MANIFEST.MF case-insensitive. To be completely > sure, any file containing directory META-INF should be considered potentially > dangerous. It's not necessary to have a META-INF directory. Here is page with an applet which doesn't have one, it works just fine: http://noc.wikimedia.org/~tstarling/odjar/ java.util.jar is not used to open JAR files during startup. The class files for it themselves inside a JAR file. Instead, the native C code is used directly: <http://hg.openjdk.java.net/jdk7/tl/jdk/file/a06412e13bf7/src/share/native/java/util/zip/> (In reply to comment #3) > $ java -jar gifar.gif > Exception in thread "main" java.lang.NoClassDefFoundError: gifar/Main The <applet> tag can contain a "code" attribute which specifies which class to run. In this case, no Main-Class entry (and indeed no manifest at all) is required. To check if a zip file is safe, you have to check whether there are any files in it with a ".class" extension. To do this, you have to scan the central directory, with a zip reader that supports ZIP64 including the central directory compression feature. Doing this in pure PHP is possible, using zlib for decompression, but note that the PEAR Archive_Zip library is not good enough because it does not support ZIP64. (In reply to comment #0) > * Read with ZipArchive http://php.net/manual/en/ref.zip.php That extension has a big ugly "unmaintained" warning on it, the PECL extension is recommended instead: http://www.php.net/manual/en/zip.installation.php The zip extension is not enabled by default, and so most installations do not have access to it. The zlib extension is enabled by default, that's why I think it's the best solution. Java only supports zlib for decompression, so there's no need to support any other decompression method to check for safety in Java. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
