From a116552869db5e7793ae10968eb3c962c69b3d8c Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Tue, 4 Jan 2011 08:46:26 +0100 Subject: tar: add a note about -C and symlink-in-tarball attack Signed-off-by: Denys Vlasenko --- archival/tar.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'archival') diff --git a/archival/tar.c b/archival/tar.c index ebaa965c0..813f86e82 100644 --- a/archival/tar.c +++ b/archival/tar.c @@ -23,6 +23,25 @@ * Licensed under GPLv2 or later, see file LICENSE in this source tree. */ +/* TODO: security with -C DESTDIR option can be enhanced. + * Consider tar file created via: + * $ tar cvf bug.tar anything.txt + * $ ln -s /tmp symlink + * $ tar --append -f bug.tar symlink + * $ rm symlink + * $ mkdir symlink + * $ tar --append -f bug.tar symlink/evil.py + * + * This will result in an archive which contains: + * $ tar --list -f bug.tar + * anything.txt + * symlink + * symlink/evil.py + * + * Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given. + * This doesn't feel right, and IIRC GNU tar doesn't do that. + */ + #include #include "libbb.h" #include "archive.h" -- cgit v1.2.3