--- Comment #4 from Tim Starling <> 2011-02-07 01:21:21 
UTC ---
(In reply to comment #1)
> The relevant detection code is at 
> Shortly, it checks for META-INF/MANIFEST.MF case-insensitive. To be completely
> sure, any file containing directory META-INF should be considered potentially
> dangerous.

It's not necessary to have a META-INF directory. Here is page with an applet
which doesn't have one, it works just fine:

java.util.jar is not used to open JAR files during startup. The class files for
it themselves inside a JAR file. Instead, the native C code is used directly:


(In reply to comment #3)
> $ java -jar gifar.gif 
> Exception in thread "main" java.lang.NoClassDefFoundError: gifar/Main

The <applet> tag can contain a "code" attribute which specifies which class to
run. In this case, no Main-Class entry (and indeed no manifest at all) is

To check if a zip file is safe, you have to check whether there are any files
in it with a ".class" extension. To do this, you have to scan the central
directory, with a zip reader that supports ZIP64 including the central
directory compression feature. Doing this in pure PHP is possible, using zlib
for decompression, but note that the PEAR Archive_Zip library is not good
enough because it does not support ZIP64.

(In reply to comment #0)
> * Read with ZipArchive

That extension has a big ugly "unmaintained" warning on it, the PECL extension
is recommended instead:

The zip extension is not enabled by default, and so most installations do not
have access to it. The zlib extension is enabled by default, that's why I think
it's the best solution. Java only supports zlib for decompression, so there's
no need to support any other decompression method to check for safety in Java.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

Wikibugs-l mailing list

Reply via email to