tar and the semantics of "filenames"

Natanael Copa natanael.copa at gmail.com
Wed Apr 19 21:03:58 UTC 2006


On Thu, 20 Apr 2006 08:26:39 +1200
"Glenn L. McGrath" <bug1 at ihug.co.nz> wrote:

> On Wed, 19 Apr 2006 17:48:07 +0200
> Natanael Copa <natanael.copa at gmail.com> wrote:

> > Names having '..' as path elements should be rejected.
> > There should be some checking for symlink tricks too.
> 
> Actually, i remember a few years ago a friend couldnt extract a tar
> archive, GNU tar allowed him to create it but not extract it.
>
> He created the archive with with the directory ../<something> GNU tar
> refused to go back directories when extracting.

tar -P didn't help?

> My friend used busybox tar to extract the archive.
> 
> At the time i pondered wether busybox tar should be "fixed" but its the
> old argument of wether we should be protecting people from themselves.

Well, I was more thinking of protecting you from me.

Let me say I send you a tar file, saying, please take a look at those sources for foo-2.0. The file has lots of files, lots of. You do a "tar ztf" to make sure that it looks ok. You give it a quick look and it looks ok. Since you don't carefully read every single line you miss a special file named "foo-2.0/src/../../../../../etc/passwd"

While you look at the sources, I log in to your busybox.

> There is a saying along the lines of "There is no point trying to make
> a product idiot proof, god will just create a better idiot"

:-)

sounds like an excuse to run windows with admin privileges. "its not dangerous, just dont click an any attachements"

I have found myself clicking on icons looking like folders just to notice the next second that the "folder" is named something.exe. Fortunally, it was not my computer :-)

I have also found myself clicking on attachments to email server error messages named "somehthing.txt    (lots of spaces)   .exe". Fortunally I ran an OS where the filenames decide if you are allowed to execute or not.

I guess God just made me to a better idiot. :-)

--
Natanael Copa



More information about the busybox mailing list