1. 16
  1. 4

    Evidence that many library authors are still clueless about age-old basic security practices. This one lands right in the middle of the “2011 CWE/SANS Top 25 Most Dangerous Software Errors”:

    1. 3

      The vulnerability […] is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow .

      So, commonly-wanted functionality being copy-pasted from SO into unknown numbers of codebases, for years? By people who probably never give a second thought to security (TBH I doubt I would have thought “but what about nefarious paths in the zip file?” when I was just trying to get at some data).

      I think there will be systems vulnerable to this attack for a long time.