Re: [dev] [sbase] [patch] Adding tar v2
On 14 July 2013 20:42, Nick <suckless-dev_AT_njw.me.uk> wrote:
> Quoth Galos, David:
>> Thanks in large part to your information about how you invoke tar, I
>> believe I have come up with a decent solution. I also was able to
>> find the structified version of tar I had worked on in the past.
>
> I'd be inclined to check for and filter out leading .. and /
> characters, to avoid tarballs doing unexpectedly evil things.
I think all security onus for stuff like that should be on the user --
they can still do unexpectedly evil things either way (even stripping
.. and /). It should be the user's responsibility to verify what will
happen when a tarball is extracted using -t.
Received on Sun Jul 14 2013 - 21:34:42 CEST
This archive was generated by hypermail 2.3.0
: Sun Jul 14 2013 - 21:36:13 CEST