in reply to •Re: Security Hole in Archive::Tar ??
in thread Security Hole in Archive::Tar ??
(Ok, so gnu tar is a lot smarter than standard tar. But standard tar, at least on Solaris, will expand absolute paths...)
Using gnu tar (on cygwin, although it shouldn't matter)
See? The file in .. was not extracted.$ mkdir a $ cd a $ touch a_file $ mkdir b $ cd b $ touch b_file $ tar cvf /tmp/abc.tar b_file ../a_file $ tar cvf /tmp/abc.tar b_file ../a_file b_file tar: Member names contain `..' ../a_file $ tar tvf /tmp/abc.tar -rw-r--r-- mike/mike 0 2002-04-03 06:48:08 b_file -rw-r--r-- mike/mike 0 2002-04-03 06:48:02 ../a_file $ rm b_file ../a_file $ tar xvf /tmp/abc.tar b_file ../a_file tar: ../a_file: Member name contains `..' tar: Error exit delayed from previous errors $ ls . .. .: b_file ..: b
Wish I had time to download Archive::Tar to test what it would do, but I have to run to get to work.
--
Mike
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: Re: •Re: Security Hole in Archive::Tar ??
by Anonymous Monk on Jun 17, 2002 at 10:32 UTC |