Subject: Re: tar ignores filenames that contain `..'
To: Frederick Bruckman <fredb@immanent.net>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 10/23/2002 16:35:25
On Wed, 23 Oct 2002, Frederick Bruckman wrote:
: > Why not just have an '--allow-dot-dot' flag or something similarly
: > (in)sane added to pax? That way you have to explicitly say that
: > 'yes, I *know* there are ../ entries in here. Do It Anyway.'
:
: There already is one (--insecure).
Ick. That doesn't really help much, since an admin would have to use such a
flag on any pax-based backup-and-restore. (Think "already written
backup/restore helper scripts".) For instance, there's dozens of symlinks
on my system containing "../", none of which would come back to me if I
were to extract with the "new" pax
Seems to me like cutting off all blood flow to an arm because it's cut.
I don't run -current right now, so I'm curious as to whether such a symlink
will be skipped on a "pax -rw", where yuou're just wanting to move a whole
tree...? This is, of course, a completely normal operation that could
easily contain symlinks in the middle with "../" in their contents.
: Note that if you add the flag to the package tools invocation, then you
: have to require current "pax"..., only to get the old behavior!
I'm tempted to have a go at the 4-step version I posted earlier--which, if
you look carefully, says nothing at all about symlinks containing "../",
because that fact isn't relevant. Hence, even pkg_* and backup/restore
scenarios can use a pax, so modified, just fine without warnings or errors
(all three listed scenarios are corner cases that shouldn't happen in normal
use).
The plan I posted does invert the security logic, though, which jives with
most commands with which I'm familiar. (Default == work but with warnings;
one flag turns warnings into errors; another optional flag can suppress the
warnings.) This would mean adding the invocation in pkg_* to use the "safe"
flag if that mode were desired, as I believe it would.
But what I don't necessarily have in the very near term is the time to
commit to implementing and testing it all.
--
-- Todd Vierling <tv@pobox.com>