Server-side resource packs do not validate file extensions

When downloading server-sided resource packs, it appears that the minecraft client will download anything specified. This means that everything from executables to zip bombs can be sent to the client. This is also a potential venue for the propagation of viruses. Currently I haven't found a way to exploit this that circumvents user interaction, but the fact that servers can download anything onto the client's computer creates an unstable environment. A way of mitigating this problem would be verifying filetype extensions are .ogg, .json, or .png.
To reproduce, simply send the resource pack attached as a server-sided resource pack, connect, and look under %APPDATA%\.minecraft\server-resource-packs. There should be a file called legacy_resourcepack.zip, this file contains a batch file in the models/blocks folder.