This is related to a patch I posted on dev_AT_, and plan to improve, so
hopefully it fits in to what you planned for hackers_AT_. If not do
berate me.
Quoth Dimitris Papastamos:
> On Mon, Apr 27, 2015 at 08:12:42PM +0100, Nick wrote:
> > One thing the patch doesn't cover is an archive using a symlink to
> > somewhere like ../../ and then putting a file in symlink/newfile
> > (hence sending it to ../../newfile). I only thought of that when
> > reading the bsdtar manpage[0].
> >
> > I'm not sure what the best behaviour is in that case. Some options:
> > ...
> > 3) Refuse to create any file following a symlink (this is the
> > default behaviour of bsdtar)
> > ...
>
> I am not sure what the proper approach is. Option 3) sounds pretty
> safe as a starting point.
Quoth Truls Becken:
> +1 for option 3)
> Why would anybody want to trust somebody that creates malicious
> archives like that?
> A symlink in an archive should just be a symlink, nothing more.
Yeah. I didn't like option 3 initially, as I imagined archives being
created which included lots of complex symlink stuff that was
important to replicate, but actually any non-malicious tar should
use a canonical file path, and not a symlink one, obviously. I
should double-check our tar implementation does that.
But yes, I shall write up a patch implementing option 3 shortly.
Sorry for the delay.
It's nice, once this is done our tar should be the most secure
implementation there is. As I mentioned previously, bsdtar
supposedly does option 3, but the code is littered with FIXMEs, so
I'm not convinced that it is solid. But with this in place, and the
previous stuff stripping path traversal stuff, all the attacks I
know of are nicely defended against. Can any creative thinkers
imagine other ways to screw someone using a tar archive?
Nick
Received on Fri Jun 05 2015 - 01:39:33 CEST