tar and the semantics of "filenames"
Glenn L. McGrath
bug1 at ihug.co.nz
Wed Apr 19 20:26:39 UTC 2006
On Wed, 19 Apr 2006 17:48:07 +0200
Natanael Copa <natanael.copa at gmail.com> wrote:
> Robert P. J. Day wrote:
>
> > it *may* be that those routines have no problem with a trailing slash,
> > but i think that misses the point. the question is, should busybox
> > even be *trying* to invoke system calls using the names as they
> > appear in the tar archive?
>
> There should definitively be some kind of sanity checking before trying
> invoke system calls.
>
> Names having '..' as path elements should be rejected.
> There should be some checking for symlink tricks too.
Actually, i remember a few years ago a friend couldnt extract a tar
archive, GNU tar allowed him to create it but not extract it.
He created the archive with with the directory ../<something> GNU tar
refused to go back directories when extracting.
My friend used busybox tar to extract the archive.
At the time i pondered wether busybox tar should be "fixed" but its the
old argument of wether we should be protecting people from themselves.
There is a saying along the lines of "There is no point trying to make
a product idiot proof, god will just create a better idiot"
Glenn
More information about the busybox
mailing list