summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2011-01-04 08:46:26 +0100
committerDenys Vlasenko <vda.linux@googlemail.com>2011-01-04 08:46:26 +0100
commita116552869db5e7793ae10968eb3c962c69b3d8c (patch)
treef75548679a257aeffd832be5366a4f41cde116ab
parent6100b51ca81721ac364f101a17cbce0d9f6fcb59 (diff)
tar: add a note about -C and symlink-in-tarball attack
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--archival/tar.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/archival/tar.c b/archival/tar.c
index ebaa965c0..813f86e82 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -23,6 +23,25 @@
* Licensed under GPLv2 or later, see file LICENSE in this source tree.
*/
+/* TODO: security with -C DESTDIR option can be enhanced.
+ * Consider tar file created via:
+ * $ tar cvf bug.tar anything.txt
+ * $ ln -s /tmp symlink
+ * $ tar --append -f bug.tar symlink
+ * $ rm symlink
+ * $ mkdir symlink
+ * $ tar --append -f bug.tar symlink/evil.py
+ *
+ * This will result in an archive which contains:
+ * $ tar --list -f bug.tar
+ * anything.txt
+ * symlink
+ * symlink/evil.py
+ *
+ * Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
+ * This doesn't feel right, and IIRC GNU tar doesn't do that.
+ */
+
#include <fnmatch.h>
#include "libbb.h"
#include "archive.h"