Editing ZIP (file format) (section)

=== Combination with other file formats ===
The {{mono|.ZIP}} file format allows for a comment containing up to 65,535 (2<sup>16</sup>−1) bytes of data to occur at the end of the file after the central directory.<ref name="appnote"/> Also, because the central directory specifies the offset of each file in the archive with respect to the start, it is possible for the first file entry to start at an offset other than zero, although some tools might not process archive files that do not start with a file entry at offset zero. The program [[gzip]], for example, happens to be able to extract an entry from a .ZIP file if it is at offset zero.

This allows arbitrary data to occur in the file both before and after the ZIP archive data, and for the archive to still be read by a ZIP application. A side-effect of this is that it is possible to author a file that is both a working ZIP archive and another format, provided that the other format tolerates arbitrary data at its end, beginning, or middle. [[Self-extracting archives]] (SFX), of the form supported by WinZip, take advantage of this, in that they are executable ({{mono|.exe}}) files that conform to the PKZIP AppNote.txt specification, and can be read by compliant zip tools or libraries.

This property of the {{mono|.ZIP}} format, and of the [[JAR (file format)|JAR]] format which is a variant of ZIP, can be exploited to hide rogue content (such as harmful Java classes) inside a seemingly harmless file, such as a GIF image uploaded to the web. This so-called [[Polyglot (computing)#GIFAR attack|GIFAR]] exploit has been demonstrated as an effective attack against web applications such as Facebook.<ref>{{cite web|url=http://www.infoworld.com/article/2653025/security/a-photo-that-can-steal-your-online-credentials.html|title=A photo that can steal your online credentials|first=Robert|last=McMillan|website=Infoworld.com|date=August 2008|access-date=9 September 2017}}</ref>