Re: bin/54467: new tar overwrites symlinks to directories

[Christos Zoulas <christos%zoulas.com@localhost>]

The following reply was made to PR bin/54467; it has been noted by GNATS.

From: Christos Zoulas <christos%zoulas.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: gnats-admin%netbsd.org@localhost,
 netbsd-bugs%netbsd.org@localhost,
 "martin%netbsd.org@localhost" <martin%NetBSD.org@localhost>
Subject: Re: bin/54467: new tar overwrites symlinks to directories
Date: Sun, 18 Aug 2019 18:27:58 +0300

 Looking at -P on bsdtar.c:
 
 /* A basic set of security flags to request from libarchive. */
 #define SECURITY                                        \ 
         (ARCHIVE_EXTRACT_SECURE_SYMLINKS                \
          | ARCHIVE_EXTRACT_SECURE_NODOTDOT)
 
 .....
 #if 0
                 /*
                  * The common BSD -P option is not necessary, since
                  * our default is to archive symlinks, not follow
                  * them.  This is convenient, as -P conflicts with GNU
                  * tar anyway.
                  */
                 case 'P': /* BSD convention */
                         /* Default behavior, no option necessary. */
                         break;
 #endif
                 case 'P': /* GNU tar */
                         bsdtar->extract_flags &= ~SECURITY;
                         bsdtar->flags |= OPTFLAG_ABSOLUTE_PATHS;
                         break;
 
 
 So I guess -P does what we want and unfortunately more. I'd rather it
 just disabled ARCHIVE_EXTRACT_SECURE_SYMLINKS... We could
 add a long option that did exactly want we wanted I guess:
 --security=-extract-secure-symlinks
 
 christos