tar and the semantics of "filenames"

Natanael Copa natanael.copa at gmail.com
Wed Apr 19 15:48:07 UTC 2006


Robert P. J. Day wrote:

> it *may* be that those routines have no problem with a trailing slash,
> but i think that misses the point.  the question is, should busybox
> even be *trying* to invoke system calls using the names as they
> appear in the tar archive?

There should definitively be some kind of sanity checking before trying
invoke system calls.

Names having '..' as path elements should be rejected.
There should be some checking for symlink tricks too.

> 
> i think that has to be resolved before going any further.
> 
> rday




More information about the busybox mailing list