Re: [dev] [sbase] [patch] Adding tar v2

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Nick <suckless-dev_AT_njw.me.uk>
Date: Tue, 16 Jul 2013 08:58:49 +0100

Quoth Chris Down:
> On 14 July 2013 20:42, Nick <suckless-dev_AT_njw.me.uk> wrote:
> > I'd be inclined to check for and filter out leading .. and /
> > characters, to avoid tarballs doing unexpectedly evil things.
>
> I think all security onus for stuff like that should be on the user --
> they can still do unexpectedly evil things either way (even stripping
> .. and /). It should be the user's responsibility to verify what will
> happen when a tarball is extracted using -t.

What other evil things can tar creators do?

Going back to the workflow question, then, who here always checks
the list of all files in an archive to check that there's nothing
with a suspicious path? I know I don't, because I can trust gnu tar
to check for me, and that's a Good Thing.
Received on Tue Jul 16 2013 - 09:58:49 CEST

This archive was generated by hypermail 2.3.0 : Tue Jul 16 2013 - 10:00:07 CEST