Subject: Re: tar ignores filenames that contain `..'
To: Alistair Crooks <agc@wasabisystems.com>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 10/23/2002 15:21:13
On Wed, 23 Oct 2002, Todd Vierling wrote:

: Symbolic links whose *content* contains "../" are not the same thing as file
: entries in a tar file whose *filename* contains "../".
:
: The former should be unconditionally allowed by pax, as the default is to
: unlink before creating; there's no risk of overwriting files outside the
: destination tree, even if a created symlink points outside the destination
: tree.

I have been told offlist that there does exist one possibility where this
can be a bad thing, but ONLY IF some proper security checks aren't being
done ahead of time in pax.  As of pax in NetBSD 1.6, such checks are not
being done.

$ ln -s .. foo
$ touch foo/bar
$ pax -wf symlinktest.tar foo foo/bar

The resultant tarfile contains two entries:

lrwxr-xr-x  1 tv       staff          0 Oct 23 14:59 foo => ..
-rw-r--r--  1 tv       staff          0 Oct 23 14:59 foo/bar

Note the order of the entries, which is important.  Also note the lack of a
directory entry for "foo" preceding "foo/bar" (caused by explicitly adding
the file "foo/bar" rather than recursively adding a directory "foo").
Basically, this tar file is bad form, but only because it's already known
that "foo" (as a component of "foo/bar") is not a directory.

This, in itself, is not necessarily a security problem, as a sysadmin could
want to do this for legitimate purposes.  It can be a security problem when
blindly extracting some tarfiles.  However, it's NOT acceptable simply to
skip over symlinks containing "../", as that *will* defeat the common use of
tar/pax/cpio/etc. as a *backup tool*.

=====

The following refinements in pax (and *tools that use it*) would eliminate
these problems without sacrificing flexibility:

1. Create a "safe mode" flag in pax, which will make all of the following
   an error rather than a warning.  Use this flag in e.g. pkg_add(8).

2. Cache a list of symlinks encountered during extraction.  If a file is
   encountered which contains this symlink name at the start of its path
   followed by a "/" (i.e. a file that will follow that earlier symlink as
   if it were a directory), warn stderr about this, such as:

   "%s: pathname contains pre-created symbolic link %s"

3. If a file is encountered in the archive which contains "../" in its
   pathname, warn (without regard to whether the path appears to stay within
   the tarfile), such as:

   "%s: file %s contains parent directory entry; suggest using option -s"

4. Warn if a directory entry appears in the archive which corresponds to an
   symlink already existing in the filesystem.

=====

Note that I don't mention even issuing a warning if a *file* in a tarball
extracts across a symlink already existing in the filesystem.  That's a
quite useful feature that can be termed "pilot error" if it munges
something, and isn't pax's responsibility to check.  This is also the reason
that (2) above suggests caching a symlink list rather than doing
lstat(2)-walks.

-- 
-- Todd Vierling <tv@pobox.com>