> lrwxrwxrwx willy/users 0 Sep 21 11:34 1998 include -> /etc
> -rw-r--r-- willy/users 758 Sep 21 11:40 1998 include/profile
Yeah, this is nasty, because either of those by itself could be
legitimate and useful; it's only in conjunction that they're dangerous.
But this sort of thing is why, quite some time ago, I added a key (I
picked "j") to my tar to watch for exactly this kind of thing: add j to
an x operation and tar will refuse to extract such things. The comment
header on the relevant function reads
/*
* About to extract a file. Check that the pathname is free from
* certain evil things that do not normally appear in tar archives,
* but could, and would be unpleasant. We walk the path, following
* any symlinks that exist in the filesystem (thereby catching
* archives that, eg, contain a symlink ./foo->/etc and then a file
* ./foo/passwd). If we follow a symlink to an absolute path, or if
* we ever try to ../ up out of our current directory, we print a
* complaint and skip the extraction of this archive member. Also, we
* refuse attempts to hard-link to anything other than a plain file.
*
* This code is full of potential races, but we aren't trying to
* protect against races between tars extracting and other processes
* meddling, only against extracting archives that contain evil
* things. The idea is that rather than doing a tar tvf of the
* archive and eyeball-scanning for evil things, extract with j and
* let tar do the checking.
*/
Of course, on systems with symlink modes this will break for an archive
that looks like
--x--x--x ./foo -> /etc
rwxrwxrwx ./foo/profile
because it won't be able to readlink() the extracted symlink. This
case has not been well tested in my code, largely because at the time I
wrote it I didn't have a system with symlink modes to test it on.
der Mouse
mouseat_private
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:42 PDT