WinRAR 4.20 is vulnerable to ZIP file name spoofing.
Please upgrade to WinRAR 5.00 release or later, which are not vulnerable.
As reported by https://an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html,
it is possible to create a specially crafted ZIP archive,
so WinRAR 4.11 and 4.20 will display one archived file name while browsing
archive contents, but assign another name to unpacked file.
It leads to possible security risks for pre-5.0 WinRAR users.
This vulnerability was discovered by Christian Navarrete in 2009
in WinRAR 3.80, fixed in 3.91, appeared again in 4.11 and finally fixed
in WinRAR 5.00.
We investigated this issue and found that all WinRAR 5.x versions
beginning from WinRAR 5.00 release are not affected, so we recommend
WinRAR 4.x users to upgrade. If you still need to use WinRAR 4.20 for some
reason, avoid opening files directly from ZIP archives and carefully
check names of unpacked files before opening them.
We noticed a claim that WinRAR 5.10 is vulnerable:
copied by some news sites. We asked intelcrawler.com owners to provide
a proof of this claim, but did not receive any response. According to our
investigation, WinRAR 5.00, 5.01 and 5.10 do not have this issue.
Also both sites listed above mention that "WINRAR adds several properties
of its own" to ZIP format, which is not true. Data which they report as
WinRAR specific property is a standard ZIP central directory record,
mandatory for any valid ZIP archive.
RAR archives and archives of other formats are not affected by