--- Comment #4 from Tim Starling <tstarl...@wikimedia.org> 2011-02-07 01:21:21
(In reply to comment #1)
> The relevant detection code is at
> Shortly, it checks for META-INF/MANIFEST.MF case-insensitive. To be completely
> sure, any file containing directory META-INF should be considered potentially
It's not necessary to have a META-INF directory. Here is page with an applet
which doesn't have one, it works just fine:
java.util.jar is not used to open JAR files during startup. The class files for
it themselves inside a JAR file. Instead, the native C code is used directly:
(In reply to comment #3)
> $ java -jar gifar.gif
> Exception in thread "main" java.lang.NoClassDefFoundError: gifar/Main
The <applet> tag can contain a "code" attribute which specifies which class to
run. In this case, no Main-Class entry (and indeed no manifest at all) is
To check if a zip file is safe, you have to check whether there are any files
in it with a ".class" extension. To do this, you have to scan the central
directory, with a zip reader that supports ZIP64 including the central
directory compression feature. Doing this in pure PHP is possible, using zlib
for decompression, but note that the PEAR Archive_Zip library is not good
enough because it does not support ZIP64.
(In reply to comment #0)
> * Read with ZipArchive http://php.net/manual/en/ref.zip.php
That extension has a big ugly "unmaintained" warning on it, the PECL extension
is recommended instead:
The zip extension is not enabled by default, and so most installations do not
have access to it. The zlib extension is enabled by default, that's why I think
it's the best solution. Java only supports zlib for decompression, so there's
no need to support any other decompression method to check for safety in Java.
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list