•Re: Security Hole in Archive::Tar ??

Replies are listed 'Best First'.
Re: •Re: Security Hole in Archive::Tar ?? by RMGir (Prior) on Apr 03, 2002 at 11:43 UTC
That's not how GNU tar behaves. (Ok, so gnu tar is a lot smarter than standard tar. But standard tar, at least on Solaris, will expand absolute paths...) Using gnu tar (on cygwin, although it shouldn't matter) $ mkdir a $ cd a $ touch a_file $ mkdir b $ cd b $ touch b_file $ tar cvf /tmp/abc.tar b_file ../a_file $ tar cvf /tmp/abc.tar b_file ../a_file b_file tar: Member names contain `..' ../a_file $ tar tvf /tmp/abc.tar -rw-r--r-- mike/mike 0 2002-04-03 06:48:08 b_file -rw-r--r-- mike/mike 0 2002-04-03 06:48:02 ../a_file $ rm b_file ../a_file $ tar xvf /tmp/abc.tar b_file ../a_file tar: ../a_file: Member name contains `..' tar: Error exit delayed from previous errors $ ls . .. .: b_file ..: b [download] See? The file in .. was not extracted. Wish I had time to download Archive::Tar to test what it would do, but I have to run to get to work. -- Mike	[reply] [d/l]
Re: Re: •Re: Security Hole in Archive::Tar ?? by Anonymous Monk on Jun 17, 2002 at 10:32 UTC
I had the same error " member name contains `..' " when extracting an archive (and running it through gzip). # tar -zxvf my_tar_file.tar.gz The problem - I think - is that I created a tarball while being in some subdirectory. To cut the leading `\' from filenames I used the -P option. So the new cmd is: tar -zxvfP my_tar_file.tar.gz	[reply]