Archive (.zip .tar) extraction security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
AlexC
Forum Commoner
Posts: 83
Joined: Mon May 22, 2006 10:03 am

Archive (.zip .tar) extraction security

Post by AlexC »

Morning,

As part of a media module I'm tweaking, which allows you to display images like a gallery for example - I'm adding the ability to upload multiple images via a .zip or .tar archive. However, I'm wondering how I can handle the security of this. I recall reading a while back that you can quite easily create a very small .tar or .zip archive, but when extracted it can be quite huge and fill up disk space.

Is there anyway to see what the extracted file size will be first? How is best to handle this situation?

Regads,
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Archive (.zip .tar) extraction security

Post by John Cartwright »

I've never heard of this behavior. Compression size is usually only about 30% smaller than the uncompressed size.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Archive (.zip .tar) extraction security

Post by Benjamin »

There is a way to create massive differences between compressed and uncompressed file-sizes. It's fairly easy to do, so I won't say how. You may want to review the compression libraries for information on how to obtain the uncompressed file sizes. I'm sure this information is stored in the archive itself some place.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Archive (.zip .tar) extraction security

Post by Weirdan »

John Cartwright wrote:I've never heard of this behavior.
You never head of Zip of Death? I'm surprised.
I once had a multi-layer zip file 42 k in size which, when recursively unpacked, would take >4 petabytes.
AlexC
Forum Commoner
Posts: 83
Joined: Mon May 22, 2006 10:03 am

Re: Archive (.zip .tar) extraction security

Post by AlexC »

John Cartwright wrote:I've never heard of this behavior. Compression size is usually only about 30% smaller than the uncompressed size.

Code: Select all

$ yes a | head -c 20485760 > 20MiB
$ ls -la 20MiB && gzip 20MiB && ls -la 20MiB.gz 
-rw-r--r-- 1 acartwright acartwright 20485760 2010-04-30 08:59 20MiB
-rw-r--r-- 1 acartwright acartwright 19920 2010-04-30 08:59 20MiB.gz
20MiB file compressed to 20KiB.
You may want to review the compression libraries for information on how to obtain the uncompressed file sizes. I'm sure this information is stored in the archive itself some place.
Yep, found it - not sure how I missed it before but gzip has a '-l' flag to list the compression ratio/sizes etc. Obviously 'tar' has no compression, so it should be the same size (I got a little muddled up before and had it in my head 'tar' could differer).

Code: Select all

$ gzip -l 20mb.gz 
         compressed        uncompressed  ratio uncompressed_name
              19920            20485760  99.9% 20mb
Should be able to work with this. Thanks.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Archive (.zip .tar) extraction security

Post by John Cartwright »

Weirdan wrote:
John Cartwright wrote:I've never heard of this behavior.
You never head of Zip of Death? I'm surprised.
I once had a multi-layer zip file 42 k in size which, when recursively unpacked, would take >4 petabytes.
Looks like I need to do my research before commenting :banghead:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Archive (.zip .tar) extraction security

Post by kaisellgren »

Apart from compression technologies, NTFS Sparse files are also interesting. It's an easy way to fake DC++ kind of file sharing systems that require certain amount of GBs of share.

Anyway, if you are using PHP's Zip library, make sure you are using PHP 5.2.7 or newer, or else you will be vulnerable to directory traversal attacks. Then, make sure you read the uncompressed size of the Zip archive. Zip archives store that detail, but I do not know about Tar though. I bet it stores the detail, too.
Post Reply