”The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsable to decompress zip files do not perform any check on the symlinks before creatig them.”
Is that truly legit? It’s very similar to having web servers accept URL paths containing full paths or “../“, both of which have been the cause of many security vulnerabilities.
I don't believe this feature is specific to macOS and the zip format. I'm reasonably certain it's possible to `tar` a symbolic link in Windows, Linux, or macOS.
Is that truly legit? It’s very similar to having web servers accept URL paths containing full paths or “../“, both of which have been the cause of many security vulnerabilities.