Zip Slip documentation

[Bernd Eckenfels]

Hello,

according to Snyk’s Zip Slip vulnerability report (the issue with file Name traversal by extracted Archives) was also sent to Oracle and since Java.util.zip.ZipEntry is a low-Level api the proper Action is changes to the documentation.

https://github.com/snyk/zip-slip-vulnerability

I wonder if those changes are already published and where they are.

(I am aware I wont get an answer if it is not yet published, but in that case the statement in the repo should be corrected to “not yet documented”).

Does the enhanced documentation also talk about the other classical Problems with Archive file entries like absolute path, control characters (linefeed) and illegal (for the local filesystem) characters? Does it also Mention Backslash? If not, I would think a warning might be needed for ZipEntry.getName.

The reason I am Looking into this is, because the solution with preparing the file path of canonized file names and parent is not Always possible if it will not directly be extracted or if the Performance Impact might be too high. For that reason rejecting some bad characters and structures on the string Level might be a good Thing (even if that would be a dangerous blacklist construct).

Gruss
Bernd
-- 
http://bernd.eckenfels.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180618/456317c2/attachment.htm>