Re: [dev] [sbase] [patch] Adding tar v2

From: Carlos Torres <vlaadbrain_AT_gmail.com>
Date: Tue, 16 Jul 2013 07:18:08 -0400

On Jul 16, 2013 3:58 AM, "Nick" <suckless-dev_AT_njw.me.uk> wrote:
>
> Quoth Chris Down:
> > On 14 July 2013 20:42, Nick <suckless-dev_AT_njw.me.uk> wrote:
> > > I'd be inclined to check for and filter out leading .. and /
> > > characters, to avoid tarballs doing unexpectedly evil things.
> >
> > I think all security onus for stuff like that should be on the user --
> > they can still do unexpectedly evil things either way (even stripping
> > .. and /). It should be the user's responsibility to verify what will
> > happen when a tarball is extracted using -t.
>
> What other evil things can tar creators do?
>
I dislike archives that don't extract into there own directory. Like Chris
said -t

> Going back to the workflow question, then, who here always checks
> the list of all files in an archive to check that there's nothing
> with a suspicious path? I know I don't, because I can trust gnu tar
> to check for me, and that's a Good Thing.
>
Received on Tue Jul 16 2013 - 13:18:08 CEST