Santiago Vila wrote: > If you want to follow Bruno's suggestion that unzip is secure by default > (which I would support), I guess it would not be a lot of work, because, > once that there is already a new command line option for that, it would > be just a matter of reversing its logic (i.e. instead of > -k/--keep-permissions we could have another option which does the opposite).
The -k/--keep-permissions already implements the "secure by default" principle. It is documented like this in the unzip610c.ann file: - New -k/--keep-permissions option controls how permissions are restored on Unix and VMS systems. The default behavior has changed to apply Unix umask or VMS default protection to the archive permissions. With -k, the archive permissions are restored, ignoring the Unix umask or VMS default protection (the old default behavior). With -k-, the archive permissions are ignored, and the Unix umask or VMS default protection determines the permissions. and like this in the History.610 file: - Added option -k/--keep-permissions on AtheOS, BeOS, Unix, and VMS, to control how archived permissions or protections are determined on extracted files and directories. The default behavior has changed from previous UnZip versions. Now, by default, on AtheOS, BeOS, and Unix, the current umask value is applied (to the normal user/group/other permissions). Bruno