Though I've released "zip file upload" modules, the library PEAR::Archive_Zip which is used by the modules has two security holes.
(1) Directory Traversal with extracting a zip into the file system
(2) It is easy to create a zip exhausting server's memery with extracting.
Against (1), don't extract a zip into the file system directly.
$reader = new Archive_Zip( (upload_tmp_file) ) ;
$files = $reader->extract( array( 'extract_as_string' => true ) ) ;