Re: [dev] [sbase] [patch] Adding tar v2

From: Markus Wichmann <nullplan_AT_gmx.net>
Date: Wed, 17 Jul 2013 15:52:20 +0200

On Tue, Jul 16, 2013 at 08:58:49AM +0100, Nick wrote:
> Quoth Chris Down:
> > On 14 July 2013 20:42, Nick <suckless-dev_AT_njw.me.uk> wrote:
> > > I'd be inclined to check for and filter out leading .. and /
> > > characters, to avoid tarballs doing unexpectedly evil things.
> >
> > I think all security onus for stuff like that should be on the user --
> > they can still do unexpectedly evil things either way (even stripping
> > .. and /). It should be the user's responsibility to verify what will
> > happen when a tarball is extracted using -t.
>
> What other evil things can tar creators do?
>

Create a tar that contains itself?

> Going back to the workflow question, then, who here always checks
> the list of all files in an archive to check that there's nothing
> with a suspicious path? I know I don't, because I can trust gnu tar
> to check for me, and that's a Good Thing.

I do partially. That is, I usually list the archive before unpacking,
but I don't visually scan each and every entry, because, for one, I use
st, so no scrollback buffer (I refuse to run a terminal multiplexer in
an environment, were it is never going to see more than one terminal),
and the other is laziness. (I am going to assume that the tarball I
regretfully had to download from the FSF's main FTP site actually
contains what it says on the tin. Speaking of which, is anyone up for
some suckless binutils?)

Ciao,
Markus
Received on Wed Jul 17 2013 - 15:52:20 CEST

This archive was generated by hypermail 2.3.0 : Wed Jul 17 2013 - 16:00:08 CEST