Subject: Re: tar ignores filenames that contain `..'
To: Alistair Crooks <agc@wasabisystems.com>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 10/23/2002 13:06:40
On Wed, 23 Oct 2002, Alistair Crooks wrote:

: And I will jump in and say that it is really pax's problem.  This is
: because (a) a lot of the distfiles that we use in pkgsrc come with
: symbolic links with ".." in them,

Symbolic links whose *content* contains "../" are not the same thing as file
entries in a tar file whose *filename* contains "../".

The former should be unconditionally allowed by pax, as the default is to
unlink before creating; there's no risk of overwriting files outside the
destination tree, even if a created symlink points outside the destination
tree.

The latter should be unconditionally disallowed by pax, as it's beyond bad
form and is already warned about by GNU tar.

-- 
-- Todd Vierling <tv@pobox.com>