uploaded zip extracting security
Date 2006-04-06 10:39:12 | Category: PHP
|
Though I've released "zip file upload" modules, the library PEAR::Archive_Zip which is used by the modules has two security holes.
(1) Directory Traversal with extracting a zip into the file system (2) It is easy to create a zip exhausting server's memery with extracting.
Against (1), don't extract a zip into the file system directly.
$reader = new Archive_Zip( (upload_tmp_file) ) ;
$files = $reader->extract( array( 'extract_as_string' => true ) ) ;
You can get extracted bodies as an array of $files. Then, save them into files manually and carefully.
But, there are no clue to solve the problem of (2), in fact.
Thus, you cannot allow anonymous users to upload zip. When I implement a feature of zip archive into myAlbum-P, it must be a function in admin side.
Since there are no CSRF threat with HTTP-upload, we should care "direct attacks" only.
|
|