Subject: Re: tar ignores filenames that contain `..'
To: Frederick Bruckman <>
From: Jason R Thorpe <>
List: tech-security
Date: 10/23/2002 09:47:59
On Wed, Oct 23, 2002 at 11:35:27AM -0500, Frederick Bruckman wrote:

 > Would it be acceptable, security-wise, to permit relative links in the
 > archive (slash-package) with some constraints, like making sure
 > leading directories are not symlinks, and counting them to make sure
 > that that any "../"'s don't break out of the extracted heirarchy? Or
 > are relative links so evil, that we have to change the way we support
 > building to ${DESTDIR}?

That certainly seems acceptable to me.

        -- Jason R. Thorpe <>