On 04/20/2012 03:30 PM, Stefan Tomanek wrote: > Is there any argument against the original patch
Well, sure: it is a hack that doesn't solve the problem, and it might lead to similar future workaround hacks that will continue to increase tar's complexity and still not solve the problem. And besides, it sounds like 'tar' can handle the situation in question, or something pretty close to it, without needing any changes. > Can you elaborate on the possible attack scenario? I don't have a specific scenario, no, since I don't know the exact situation. But the basic problem is a race condition between the time the file is chosen by 'find' to dump (or to not dump), and the time the file name is presented to 'tar'. I worry that an attacker could cause victim files to not be dumped, or conversely could cause files to be dumped when they should not be.
