https://bugzilla.wikimedia.org/show_bug.cgi?id=24230

--- Comment #4 from Tim Starling <tstarl...@wikimedia.org> 2011-02-07 01:21:21 
UTC ---
(In reply to comment #1)
> The relevant detection code is at 
> http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Core/Collections-Jar-Zip-Logging-regex/java/util/jar/JarFile.java.htm
> 
> Shortly, it checks for META-INF/MANIFEST.MF case-insensitive. To be completely
> sure, any file containing directory META-INF should be considered potentially
> dangerous.

It's not necessary to have a META-INF directory. Here is page with an applet
which doesn't have one, it works just fine:

http://noc.wikimedia.org/~tstarling/odjar/

java.util.jar is not used to open JAR files during startup. The class files for
it themselves inside a JAR file. Instead, the native C code is used directly:

<http://hg.openjdk.java.net/jdk7/tl/jdk/file/a06412e13bf7/src/share/native/java/util/zip/>

(In reply to comment #3)
> $ java -jar gifar.gif 
> Exception in thread "main" java.lang.NoClassDefFoundError: gifar/Main

The <applet> tag can contain a "code" attribute which specifies which class to
run. In this case, no Main-Class entry (and indeed no manifest at all) is
required.

To check if a zip file is safe, you have to check whether there are any files
in it with a ".class" extension. To do this, you have to scan the central
directory, with a zip reader that supports ZIP64 including the central
directory compression feature. Doing this in pure PHP is possible, using zlib
for decompression, but note that the PEAR Archive_Zip library is not good
enough because it does not support ZIP64.

(In reply to comment #0)
> * Read with ZipArchive http://php.net/manual/en/ref.zip.php

That extension has a big ugly "unmaintained" warning on it, the PECL extension
is recommended instead:

http://www.php.net/manual/en/zip.installation.php

The zip extension is not enabled by default, and so most installations do not
have access to it. The zlib extension is enabled by default, that's why I think
it's the best solution. Java only supports zlib for decompression, so there's
no need to support any other decompression method to check for safety in Java.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to