Currently, if an extension archive contains any extra field, publication is rejected.
Extra fields in general are problematic as they enable parsing differential attacks, especially wrt utf filenames.
A common pattern is actually to have UTC modification times as extra fields, some zip tools do that by default:
The central-directory extra field contains:
- A subfield with ID 0x5455 (universal time) and 5 data bytes.
The local extra field has UTC/GMT modification/access times.
- A subfield with ID 0x7875 (Unix UID/GID (any size)) and 11 data bytes:
01 04 e8 03 00 00 04 e8 03 00 00.
we should have a whitelist of allowed extra fields and let them pass.
Currently, if an extension archive contains any extra field, publication is rejected.
Extra fields in general are problematic as they enable parsing differential attacks, especially wrt utf filenames.
A common pattern is actually to have UTC modification times as extra fields, some zip tools do that by default:
we should have a whitelist of allowed extra fields and let them pass.