Security of site from uploaded files with zip extension

kiwibrit

We need an upload facility on the company (Linux/Apache) site so that we can provide files (primarily PDFs) of leaflets, and wiring diagrams and, occasionally CAD. The files will be uploaded from an area protected with a password and username (using .htaccess). In all cases, we are planning for the files to be zipped.

Now, although the upload page will be accessible only by trusted members of staff, I can do paranoid. OTOH Full-blooded security needs quite an effort[Link to a PDF].

I have thought that I could check if the files have the .zip extension with something like:

$filename = 'afile.zip';
$ext = pathinfo($filename, PATHINFO_EXTENSION);

and rely on that.

Easy - but the questions are:

Are file with .zip extensions inherently safe from being exploited to hack the site?

What would you do?

dagon

if your just storing the file, and no one can 'run' it then the contents is irrelevant

kiwibrit

Yabbut, the trick is making sure that no one can run it?

Over in websmasterworld, Readie suggested, this - which looks solid:

<?php

$file_path = '/path/to/file/from/server/root.zip';

if(headers_sent()) {
  die('Headers Sent');
}
if(ini_get('zlib.output_compression')) {
  ini_set('zlib.output_compression', 'Off');
}
if(file_exists($file_path)) {
  header('Pragma: public');
  header('Expires: 0');
  header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
  header('Cache-Control: private', false);
  header('Content-Type: application/force-download');
  header('Content-Disposition: attachment; filename="' . basename($file_path) . '";');
  header('Content-Transfer-Encoding: binary');
  header('Content-Length: ' . filesize($file_path));
  ob_clean();
  flush();
  readfile($fullPath);
} else {
  die('File Not Found');
}

?>