-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ilmari Karonen wrote:
Brion Vibber wrote:
Smarter "evil JAR detection" that pokes
through the ZIP file index
looking for Java classes and blocks the specific file would be a nice
addition, particularly if we were to do something foolish like enable
OpenDocument uploads on general-access sites. :)
There is a Zip extension for PHP which might be handy for this purpose,
though of course it's not enabled by default and may not be present on
any given setup. :(
Just make sure it'll fail gracefully if someone tries to upload 42.zip.
:D
Checks for these purposes probably only require reading the file
directory, not actually decompressing any file contents.
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjqQFoACgkQwRnhpk1wk45gMACfbX01DsUnmveaR6M2dIR0rF4B
BgkAnR8dXLZTg01YfmDf5IE7YB8ieESH
=l6Sc
-----END PGP SIGNATURE-----