Subject: Re: tar ignores filenames that contain `..'
To: Alistair Crooks <agc@wasabisystems.com>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 10/23/2002 19:26:04
A modified version of my pax-mods proposal:

It was noted to me offlist that perhaps checking all in-filesystem symlinks
would be useful after all.  So, I've nixed the symlink name cache below and
gone to uniform lstat(2)-walking.

=====

1. Create a "safe mode" flag in pax, which will make all of the following
   an error rather than a warning.  Use this flag in e.g. pkg_add(8).

2. For each entry being extracted, warn if any intervening path component is
   a symlink in the filesystem.  (This catches both extant symlinks *and*
   those created by pax.)

   If the entry's full path is an extant symlink, however, don't warn; do
   standard unlink-and-create logic.  (This would have to be tested as to
   whether it DTRT for non-plain-files, e.g. directories and device nodes,
   that replace symlinks in the filesystem.  The idea is that even a
   directory that exactly matches an extant symlink would simply replace the
   symlink with a directory safely.)

3. If a file is encountered in the archive which contains "../" in its
   pathname, warn (without regard to whether the path appears to stay within
   the archive; this is a corner case and difficult to get "right" in the
   face of possible symlink warnings, above).

=====

The above keeps the warnings more uniform and easier to understand/explain.
It's unusual for symlinks to sit in the middle of an extracted entry's path,
so it probably is a good idea to warn about them all around.

Since (2) would involve some significant lstat(2) load, it would probably be
a good idea either to cache results with hsearch(3) or similar.  Note that
if these results are cached, they need to be obliterated if a later entry in
the archive unlinks the symlink in question.

-- 
-- Todd Vierling <tv@pobox.com>