[8038] in bugtraq
Re: tar "features"
daemon@ATHENA.MIT.EDU (Kragen)
Sat Sep 26 22:33:52 1998
Date: Sat, 26 Sep 1998 10:05:32 -0400
Reply-To: Kragen <kragen@DNACO.NET>
From: Kragen <kragen@DNACO.NET>
X-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809251800.OAA06027@Twig.Rodents.Montreal.QC.CA>
On Fri, 25 Sep 1998, der Mouse wrote:
> But this sort of thing is why, quite some time ago, I added a key (I
> picked "j") to my tar to watch for exactly this kind of thing: add j to
> an x operation and tar will refuse to extract such things.
Is this a patch you can release?
Why do you provide the option of not doing this checking?
> * This code is full of potential races,
That's an interesting thing to point out. I can't count the number of
tar files I've extracted that had world-writable directories in them.
The races you mention exist in just ordinary tar, as well as your
modified version, I assume.
> Of course, on systems with symlink modes this will break for an archive
> that looks like
>
> --x--x--x ./foo -> /etc
> rwxrwxrwx ./foo/profile
>
> because it won't be able to readlink() the extracted symlink.
I assume this means that you're using readlink() to tell if it's a
symlink or not. Can't you use lstat() and ISLNK()? Or is ISLNK not
portable?
Kragen
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
The sages do not believe that making no mistakes is a blessing. They believe,
rather, that the great virtue of man lies in his ability to correct his
mistakes and continually make a new man of himself. -- Wang Yang-Ming
