Re: Tar extract behaviour changed

[christos%astron.com@localhost (Christos Zoulas)]

In article <20191022200319.GA83891%bec.de@localhost>,
Joerg Sonnenberger  <joerg%bec.de@localhost> wrote:
>On Tue, Oct 22, 2019 at 08:00:35PM +0200, Christian Groessler wrote:
>> "tar" had an option to delete files which it is about to extract before
>> extraction. Wouldn't this solve the "symlink" issue at hand? What am I
>> missing?
>
>See the SECURITY section in the man page. Both -U and -P are ways to
>dealing with this, but with different end result.


Here are two simple patches:

1. Track symlinks that tar created and for them keep the current behavior
   of overwriting them, but extract through pre-existing ones:

   https://www.netbsd.org/~christos/track-symlinks.diff

   Pros: default behavior
   Cons: adds complexity, have not thought through all the possible scenarios,
	 can slow down things when there are lots of symlinks.

2. Add a flag to just allow symlinks:

   https://www.netbsd.org/~christos/track-symlinks.diff

   Pros: simple and reduces the attack surface, gets the behavior we had
	 before
   Cons: not standard, malicious tars can still do damage.

I am not advocating for either, perhaps we should just add -P to the
extraction and get over it :-)

christos