Subject: Re: tar ignores filenames that contain `..'
To: None <tech-pkg@netbsd.org, current-users@netbsd.org, tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: current-users
Date: 10/23/2002 13:22:35
On Wed, Oct 23, 2002 at 01:06:40PM -0400, Todd Vierling wrote:
> On Wed, 23 Oct 2002, Alistair Crooks wrote:
> 
> : And I will jump in and say that it is really pax's problem.  This is
> : because (a) a lot of the distfiles that we use in pkgsrc come with
> : symbolic links with ".." in them,
> 
> Symbolic links whose *content* contains "../" are not the same thing as file
> entries in a tar file whose *filename* contains "../".
> 
> The former should be unconditionally allowed by pax, as the default is to
> unlink before creating; there's no risk of overwriting files outside the
> destination tree, even if a created symlink points outside the destination
> tree.
> 
> The latter should be unconditionally disallowed by pax, as it's beyond bad
> form and is already warned about by GNU tar.

I agree 100%.  If pax isn't allowing symlinks whose _target_ contains ..,
that's a bug.  On the other hand, I'm quite strongly opposed to making it
extract anything whose _pathname_ contains .. .

Thor