Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Tar extract behaviour changed



On Mon, Oct 21, 2019 at 05:34:44PM -0000, Christos Zoulas wrote:
> In article <20191021163005.GA4922%bec.de@localhost>,
> Joerg Sonnenberger  <joerg%bec.de@localhost> wrote:
> >On Mon, Oct 21, 2019 at 06:29:18AM -0700, Hisashi T Fujinaka wrote:
> >> On Mon, 21 Oct 2019, Martin Husemann wrote:
> >> 
> >> > On Mon, Oct 21, 2019 at 11:54:44AM +0200, J. Hannken-Illjes wrote:
> >> > > Somewhere between Netbsd-8 and NetBSD-9 "tar" changed its behaviour
> >> > > when it has to extract a directory and the path exists as a symlink.
> >> > 
> >> > I still believe it should be fixed, but J?rg disagrees. You need to use -P
> >> > now. See PR 54467.
> >> 
> >> Yeah it's a real pain in my you-know-what. Is it Joerg vs everyone else?
> >
> >It is NetBSD pax vs every pretty much any maintained tar implementation.
> 
> Indeed, and it is a security issue revert to the original tar behavior.
> The new behavior is clearly better from a security PoV.
> What I don't like about -P though is that it is an "all or nothing" deal:
> 
> N Function				PaX as Tar	Libarchive Tar
> ----------------------------------------------------------------------
> 1 keeping leading '/'			-P		-P
> 2 extracting files containing  ".."	--insecure	-P
> 3 obeying existing symlinks		default		-P
> 
> I would prefer to have a separate option that just does [3], but if upstream
> does not think it is useful it is better to live with -P.

Feel free to write a patch :) That said, I don't really see a point in
allowing one form of arbitrary file replacement and not another.

Joerg


Home | Main Index | Thread Index | Old Index