On Tue, Oct 22, 2019 at 06:37:44AM +0700, Robert Elz wrote: > Date: Mon, 21 Oct 2019 21:20:25 +0200 > From: Joerg Sonnenberger <jo...@bec.de> > Message-ID: <20191021192025.ga33...@bec.de> > > | That said, I don't really see a point in > | allowing one form of arbitrary file replacement and not another. > > If we're thinking of it purely as protection against potentially > malicious archives obtained from some random internet site, then > nor do I
I am not sure. Clearly / and .. are protecting against malicious archives. But in my view a directory entry in the (potential malicious) archive overwriting an existing symlink is something where the explicit wish of the user running the extraction is not honored. The attack vector here would be someone modifying my file system placing malicious symlinks somewhere and later me running the extraction of the archive - which is very different from not trusting the archive in the first place. The other open question is: given that we only have -P, we need to either: - make sysinst list all directories in the archive and check them for existing symlinks, then ask the user wether the existing symlink should be kept (and then add -P to the tar command line) or - simply use -P always on set extractions (where we already know that no .. or / should exist and we kind of trust the archives anyway) The current state silently breaks existing valid setups ("valid" of course in my view, as I personally ran into one that I created myself). Martin