Should I be concerned with infected zip files?

Question

I'm writing a ASP.NET application to process user submitted zip files and limiting my extraction of files from it to only the extensions I want.

I've heard of infected zip files attached to emails and I was wondering if I should be concerned about extracting data from infected zip files in my application. I don't plan on executing the content inside of the zip file, but will opening and extracting from an infected zip file cause the file to execute a virus even if I'm not executing any content inside of the zip file?

Answer 1

It's possible if somebody finds an exploitable flaw in the unzipping implementation... But I've never seen one. I wouldn't say it's something to get worried over.

However, it's not hard to quarantine incoming files, scan them and move them off to your application at a later time. You could even do on-demand scanning but that can cause nasty bottlenecks on a busy system. It all depends how fast you need an uploaded file scanned.