06.10.2014 10:51
Наткнулся на информацию в ЖЖ о возможных проблемах с WinRar

Скачал тестовый архив, развернул, получил два файла с правильными расширениями: "1.txt" и "2.exe"
У меня - старая версия 3.93

Проверил на версии 4.20 - опаньки - а там получаются два других файла - "1.exe" и "2.exe"

Так что - проверяемся!
06.10.2014 10:56

WinRAR 4.20 is vulnerable to ZIP file name spoofing. Please upgrade to WinRAR 5.00 release or later, which are not vulnerable.


As reported by , it is possible to create a specially crafted ZIP archive, so WinRAR 4.11 and 4.20 will display one archived file name while browsing archive contents, but assign another name to unpacked file. It leads to possible security risks for WinRAR 4.x users.

We investigated this issue and found that all WinRAR 5.x versions beginning from WinRAR 5.00 release are not affected, so we recommend WinRAR 4.x users to upgrade. If you still need to use WinRAR 4.20 for some reason, avoid opening files directly from ZIP archives and carefully check names of unpacked files before opening them.

We noticed a claim that WinRAR 5.10 is vulnerable:

copied by some news sites. We asked intelcrawler.com owners to provide a proof of this claim, but did not receive any response. According to our investigation, WinRAR 5.00, 5.01 and 5.10 do not have this issue.

Also both sites listed above mention that "WINRAR adds several properties of its own" to ZIP format, which is not true. Data which they report as WinRAR specific property is a standard ZIP central directory record, mandatory for any valid ZIP archive.

RAR archives and archives of other formats are not affected by this vulnerability.
06.10.2014 10:58
Тоже попробовал распаковать, 7z видит правильно
unzip тоже
unzip test.zip
Archive: test.zip
1.txt: mismatching "local" filename (1.exe),
continuing with "central" filename version
extracting: 1.txt
extracting: 2.exe
06.10.2014 11:01
По первой ссылке в моем сообщении, кстати, разъясняют, почему так происходит. WinRAR зачем-то добавляет еще одно поле с именем файла.
Опции темы

Часовой пояс GMT +3, время: 09:24.


Форум сделан на основе vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd. Перевод: zCarot и OlegON
В случае заимствования информации гипертекстовая индексируемая ссылка на Форум обязательна.