Subject: Re: tar ignores filenames that contain `..'
To: Thor Lancelot Simon <>
From: Todd Vierling <>
List: tech-security
Date: 10/23/2002 13:37:32
On Wed, 23 Oct 2002, Thor Lancelot Simon wrote:

: > Symbolic links whose *content* contains "../" are not the same thing as file
: > entries in a tar file whose *filename* contains "../".

: > The latter should be unconditionally disallowed by pax, as it's beyond bad
: > form and is already warned about by GNU tar.

: I'm quite strongly opposed to making it extract anything whose _pathname_
: contains .. .

Agreed, although for the flexibility-of-Unix sake, this check should happen
after -s transformations have been applied, so that erroneously created tar
files can be extracted by hand (by replacing the .. components with
something sane).

I don't know what our pax's behavior currently is offhand.

-- Todd Vierling <>