> lrwxrwxrwx willy/users 0 Sep 21 11:34 1998 include -> /etc > -rw-r--r-- willy/users 758 Sep 21 11:40 1998 include/profile Yeah, this is nasty, because either of those by itself could be legitimate and useful; it's only in conjunction that they're dangerous. But this sort of thing is why, quite some time ago, I added a key (I picked "j") to my tar to watch for exactly this kind of thing: add j to an x operation and tar will refuse to extract such things. The comment header on the relevant function reads /* * About to extract a file. Check that the pathname is free from * certain evil things that do not normally appear in tar archives, * but could, and would be unpleasant. We walk the path, following * any symlinks that exist in the filesystem (thereby catching * archives that, eg, contain a symlink ./foo->/etc and then a file * ./foo/passwd). If we follow a symlink to an absolute path, or if * we ever try to ../ up out of our current directory, we print a * complaint and skip the extraction of this archive member. Also, we * refuse attempts to hard-link to anything other than a plain file. * * This code is full of potential races, but we aren't trying to * protect against races between tars extracting and other processes * meddling, only against extracting archives that contain evil * things. The idea is that rather than doing a tar tvf of the * archive and eyeball-scanning for evil things, extract with j and * let tar do the checking. */ Of course, on systems with symlink modes this will break for an archive that looks like --x--x--x ./foo -> /etc rwxrwxrwx ./foo/profile because it won't be able to readlink() the extracted symlink. This case has not been well tested in my code, largely because at the time I wrote it I didn't have a system with symlink modes to test it on. der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:42 PDT