Subject: Re: tar ignores filenames that contain `..'
To: Todd Vierling <tv@pobox.com>
From: Frederick Bruckman <fredb@immanent.net>
List: tech-pkg
Date: 10/23/2002 12:10:54
On Wed, 23 Oct 2002, Todd Vierling wrote:
> On Wed, 23 Oct 2002, Alistair Crooks wrote:
>
> : And I will jump in and say that it is really pax's problem. This is
> : because (a) a lot of the distfiles that we use in pkgsrc come with
> : symbolic links with ".." in them,
>
> Symbolic links whose *content* contains "../" are not the same thing as file
> entries in a tar file whose *filename* contains "../".
>
> The former should be unconditionally allowed by pax, as the default is to
> unlink before creating; there's no risk of overwriting files outside the
> destination tree, even if a created symlink points outside the destination
> tree.
You know, that makes sense. So what's all the hoopla about? Can
someone who's privy to the pax/tar maintainer's discussion refute that?
It also occurs to me that there are no security implications to
creating archives with symlinks. Calling that a security hole is on
the same level as claiming that the very existence of "tcpdump" is a
security breach.
> The latter should be unconditionally disallowed by pax, as it's beyond bad
> form and is already warned about by GNU tar.
Frederick