Subject: Re: tar ignores filenames that contain `..'
To: Alistair Crooks <agc@wasabisystems.com>
From: Greywolf <greywolf@starwolf.com>
List: tech-security
Date: 10/23/2002 12:48:49
On Wed, 23 Oct 2002, Alistair Crooks wrote:

# And I will jump in and say that it is really pax's problem.  This is
# because (a) a lot of the distfiles that we use in pkgsrc come with
# symbolic links with ".." in them, so that we can't even extract the
# contents properly now - this has nothing to do with pkg_create - and
# (b) because we go to great lengths in pkg_create to make symbolic
# links relative to ${PREFIX} for binary packages.  You are now
# seriously suggesting that we can't make archives relative to a certain
# directory because tar or pax might extract over a file that's above
# ${PREFIX}?  I'd say that was a bug in pax and tar - they should be
# able to calculate the depth of directories, and handle it accordingly.
#
# I realise this has nothing to do with pax itself - we'd be seeing the
# same problems right now with GNU tar.
#

Why not just have an '--allow-dot-dot' flag or something similarly
(in)sane added to pax?  That way you have to explicitly say that
'yes, I *know* there are ../ entries in here.  Do It Anyway.'

rm has '-f' for a reason.  It also has '-i' for a reason.  Many
other utilities follow suit, especially in the fact that they are
*options* (flags), almost none of which are active by default
(in the long run, almost none, anyway).  The '-f', as I'm sure
most of us are familiar, means 'shut up and try anyway, I don't care
about EROFS etc.'

We are thus responsible for the consequences of our actions.

				--*greywolf;
--
NetBSD: Microsoft ask you where you want to go.  BSD gets you there.