Subject: Re: tar ignores filenames that contain `..'
To: Alistair Crooks <agc@wasabisystems.com>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 10/23/2002 19:26:04
A modified version of my pax-mods proposal:
It was noted to me offlist that perhaps checking all in-filesystem symlinks
would be useful after all. So, I've nixed the symlink name cache below and
gone to uniform lstat(2)-walking.
=====
1. Create a "safe mode" flag in pax, which will make all of the following
an error rather than a warning. Use this flag in e.g. pkg_add(8).
2. For each entry being extracted, warn if any intervening path component is
a symlink in the filesystem. (This catches both extant symlinks *and*
those created by pax.)
If the entry's full path is an extant symlink, however, don't warn; do
standard unlink-and-create logic. (This would have to be tested as to
whether it DTRT for non-plain-files, e.g. directories and device nodes,
that replace symlinks in the filesystem. The idea is that even a
directory that exactly matches an extant symlink would simply replace the
symlink with a directory safely.)
3. If a file is encountered in the archive which contains "../" in its
pathname, warn (without regard to whether the path appears to stay within
the archive; this is a corner case and difficult to get "right" in the
face of possible symlink warnings, above).
=====
The above keeps the warnings more uniform and easier to understand/explain.
It's unusual for symlinks to sit in the middle of an extracted entry's path,
so it probably is a good idea to warn about them all around.
Since (2) would involve some significant lstat(2) load, it would probably be
a good idea either to cache results with hsearch(3) or similar. Note that
if these results are cached, they need to be obliterated if a later entry in
the archive unlinks the symlink in question.
--
-- Todd Vierling <tv@pobox.com>