[Issue 20027] std.zip susceptible to zip malware attacks

d-bugmail at puremagic.com d-bugmail at puremagic.com
Wed Sep 25 16:54:02 UTC 2019


https://issues.dlang.org/show_bug.cgi?id=20027

Berni <dlang at croco-puzzle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dlang at croco-puzzle.com

--- Comment #2 from Berni <dlang at croco-puzzle.com> ---
Some of these rejections feel a little bit dubious. E.g. "Rejects ZIP64 version
2 (and ZIP64 version 1).". Do we want to support Zip64 or not? Same question
for multiple volumes and encryption.

Also, zip has been designed to contain unused data: When removing a file from
an archive, it can just be deleted from the central directory. From the view
point of data protection this is horrible, but it's still a correct zip file,
that should not be rejected by std.zip in my oppinion.

"Rejects compression methods other than 0 (uncompressed) or 8 (deflate)." - At
least 12 (bzip) might be an other candidate for decompression support in my
oppinion.

Others, like overlapping entries or invalid paths and so on, should of course
be rejected.

What do you think?

--


More information about the Digitalmars-d-bugs mailing list