-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unpack_in still allows creating files outside the directory #129
Comments
Right, I think this is my fault as I didn't take into account such case, and the absolute link test is also blind to this. The problem is that we rely on checking parents for path escaping, because I have an initial fix in this local branch https://github.com/alexcrichton/tar-rs/compare/master...lucab:ups/chase_link?expand=1. However I fear it could be still missing some corner cases (and I'm currently traveling). Should I submit anyway a PR with the above? |
@lucab yeah I'm ok sort of patching up behavior here over time, a PR would be most welcome! |
I'm not sure I have time to make a PR, but I certainly recommend that unpack should not write to symlinks unless the user says that they expect that behavior. It's almost never what you want. (Arguments can be made for just not following symlinks at all.) |
A security advisory was published at the time: https://github.com/RustSec/advisory-db/blob/master/crates/tar/RUSTSEC-2018-0002.toml |
The following tar construct will write to /tmp/exploit:
The text was updated successfully, but these errors were encountered: