Archive package is vulnerable to zip filename spoofing
Closed this issue · 2 comments
Hi,
This is a follow up of the previous issue report, we noticed that when archive
tries to parse the filename from the zip header, it only considers the filename from the Local File Header
and does not match it against Central Directory Entry
filename, this can pose a security risk as the Local File Header
can be easily spoofed which leads to inconsistency in filename of the entries before and after extraction, below is a demo where we crafted a zip file with a spoofed Local File Header
and tried extracting it using your package.
crafted zip file (poc.zip) binary content
zip file before extraction (the file inside appears as evil.txt)
zip file after extraction (the file now appears as evil.apk)
I'll look into fixing that up as soon as I get a chance.
I changed it to use the central directory filename instead of the local entry header name.