Subject: Re: tar ignores filenames that contain `..'
To: Seth Kurtzberg <>
From: Frederick Bruckman <>
List: tech-security
Date: 10/23/2002 11:47:06
On 23 Oct 2002, Seth Kurtzberg wrote:

> Isn't is straightforward to extract the files from the tar archive in a
> temporary area, and recreate the tar file with the command line
> parameters that force it to use full directory paths?

No, not at all. What's to keep "tar-slash-pax" from breaking out
of the temporary area? The extractor needs to keep track and pay
attention to what's it doing -- I don't see any way around that.

I feel, now, the security impliciations of hacking on
pkg_add/pkg_create are less than that of hacking on tar/pax, so that's
the way we should go. Either that, or do as the base install does, and
force symlinks to be absolute to the ultimate location.