Detect G.zip64 based on local file header and not central directory file header #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ile header
Both file headers (central directory and local) can contain Zip64 extra
field.
It has different semantics base on header.
In central directory file header it allows specifying uncompressed size,
compressed size, local file header offset as 64 bit numbers and disk
number as 32 bit number.
In local file header it allows specifying uncompressed size and
compressed size as 64 bit numbers.
There can be valid situation, where central directory file header use
Zip64 extra field, but local file header does not use it.
It is typical for files smaller than 4 GB, where local file header
offset is larger than 4 GB (e.g. for large archives).
Such file can be created e.g. by:
```
dd if=/dev/urandom of=file_larger_than_4g bs=1024 count=4194305
dd if=/dev/zero of=file_smaller_than_4g bs=1024 count=1
dd if=/dev/zero of=another_file_smaller_than_4g bs=1024 count=1
zip -1 -fd bomb.zip file_larger_than_4g file_smaller_than_4g another_file_smaller_than_4g
```
Note: `-fd` is used to simplify scenario - similar error can be achieved
with more complicated input even without `-fd`.
Problem is current ZIP bomb detection, which guess size of data descriptor
based on presence of Zip64 extra field in central directory file header.
For given example `file_smaller_than_4g` has Zip64 extra field in central
directory file header, but has no Zip64 extra field in local file header
and also it has small (containing 32 bit numbers) data descriptor.
Which leads to incorrect ZIP bomb detection:
```
unzip -t bomb.zip file_smaller_than_4g another_file_smaller_than_4g
Archive: bomb.zip
testing: file_smaller_than_4g OK
error: invalid zip file with overlapped components (possible zip bomb)
```
Purpose of this fix is to correctly detect size of data descriptor
based on presence of Zip64 extra field in local file header (and not in central
directory file header).
It looks, that it should be correct when consulted with `zip` source
code (there is very long comment, that situation is not ideal, and size
must be guessed).
With this change:
```
unzip -t bomb.zip file_smaller_than_4g another_file_smaller_than_4g
Archive: bomb.zip
testing: file_smaller_than_4g OK
testing: another_file_smaller_than_4g OK
No errors detected in bomb.zip for the 2 files tested.
```
|
Hi there, is there any update regarding this PR? |
1 similar comment
|
Hi there, is there any update regarding this PR? |
|
af0d07f fixes this by ignoring the extra fields, looking for all four data descriptor possibilities. The comments describe why this works. |
|
Thanks for update. I check our case and it behaves correctly. |
|
Good. Can you provide a download link to your case? |
|
Unfortunately it contains private data, so I can not provide it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Both file headers (central directory and local) can contain Zip64 extra
field.
It has different semantics base on header.
In central directory file header it allows specifying uncompressed size,
compressed size, local file header offset as 64 bit numbers and disk
number as 32 bit number.
In local file header it allows specifying uncompressed size and
compressed size as 64 bit numbers.
There can be valid situation, where central directory file header use
Zip64 extra field, but local file header does not use it.
It is typical for files smaller than 4 GB, where local file header
offset is larger than 4 GB (e.g. for large archives).
Such file can be created e.g. by:
Note:
-fdis used to simplify scenario - similar error can be achievedwith more complicated input even without
-fd.Problem is current ZIP bomb detection, which guess size of data descriptor
based on presence of Zip64 extra field in central directory file header.
For given example
file_smaller_than_4ghas Zip64 extra field in centraldirectory file header, but has no Zip64 extra field in local file header
and also it has small (containing 32 bit numbers) data descriptor.
Which leads to incorrect ZIP bomb detection:
Purpose of this fix is to correctly detect size of data descriptor
based on presence of Zip64 extra field in local file header (and not in central
directory file header).
It looks, that it should be correct when consulted with
zipsourcecode (there is very long comment, that situation is not ideal, and size
must be guessed).
With this change: