
Show HN: A better zip decoder - jorangreef
https://github.com/ronomon/zip
======
Jwarder
What is the intent of the date range checks? Is this a identification signal
where malware would put random numbers in there, or is there an issue with the
dates themselves that malware can exploit?

~~~
jorangreef
Both. Malware archives tend to have bad hygiene when it comes to file formats
and these out of range date integers could also probably be chained into an
exploit. Some C date parsers in zip userland might not expect a month of 13 or
a minute of 62 etc.

That said, some software works on the basis that if you can't imagine the
exploit then there's no point making a fuss, following Postel's "be liberal in
what you accept".

But it's better practice to be strict with invalid data and let someone else
imagine the exploit for other parsers that are less strict. At worst, you
surface implementation bugs quicker and fail fast. At best, you stay safe.
Malware authors are more imaginative than library authors. Implementing the
spec is hard enough. Tolerating deviations from the spec only opens up gaps
and creates ambiguity, fertile soil for exploits.

