emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tar: add a note about -C and symlink-in-tarball attack

Browse Source 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2011-01-04 08:46:26 +01:00
parent 6100b51ca8
commit a116552869
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
archival/tar.c
View File

@ -23,6 +23,25 @@
* Licensed under GPLv2 or later, see file LICENSE in this source tree. * Licensed under GPLv2 or later, see file LICENSE in this source tree.
*/ */
/* TODO: security with -C DESTDIR option can be enhanced.
* Consider tar file created via:
* $ tar cvf bug.tar anything.txt
* $ ln -s /tmp symlink
* $ tar --append -f bug.tar symlink
* $ rm symlink
* $ mkdir symlink
* $ tar --append -f bug.tar symlink/evil.py
*
* This will result in an archive which contains:
* $ tar --list -f bug.tar
* anything.txt
* symlink
* symlink/evil.py
*
* Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
* This doesn't feel right, and IIRC GNU tar doesn't do that.
*/
#include <fnmatch.h> #include <fnmatch.h>
#include "libbb.h" #include "libbb.h"
#include "archive.h" #include "archive.h"