We should find a reliable JAR detection routine, so that we can block JAR files, instead of having to whitelist all the different zip based fileformats.
- Do a simple ZIP detection like we have now:
- Read with ZipArchive http://php.net/manual/en/ref.zip.php
- Traverse and look with zip_entry_name() for files with:
- .class or .java or .jar
I'm not sure if this works well enough to plug the GIFAR hole however, because we don't really know how Java detects if a zip == a jar. Will have to be verified somehow.