Roan Kattouw wrote:
"An alternative [to rejecting all ZIP files]
would be to parse the
entire zip directory and to reject any archives that contain a file
with a .class extension. I can’t vouch for this method. **If you did
this, the zip library you used would have to be exactly as tolerant of
zip format errors as the one used by Java.** It would probably be best
to actually shell out to Java to do the test."
(emphasis mine)
If we consider acceptable the perfomance of parsing full zip files (as
opposed to just 512 bytes or the central directory), we can quite easily
accept many zip files.
There's also the issue of jar protocol, but that seems fixed from
Firefox 2.0.0.10 so probably not worth taking into account.
http://kb.mozillazine.org/Network.jar.open-unsafe-types