Santiago Vila wrote:
> If you want to follow Bruno's suggestion that unzip is secure by default
> (which I would support), I guess it would not be a lot of work, because,
> once that there is already a new command line option for that, it would
> be just a matter of reversing its logic (i.e. instead of
> -k/--keep-permissions we could have another option which does the opposite).
The -k/--keep-permissions already implements the "secure by default" principle.
It is documented like this in the unzip610c.ann file:
- New -k/--keep-permissions option controls how permissions are restored
on Unix and VMS systems. The default behavior has changed to apply
Unix umask or VMS default protection to the archive permissions. With
-k, the archive permissions are restored, ignoring the Unix umask or
VMS default protection (the old default behavior). With -k-, the
archive permissions are ignored, and the Unix umask or VMS default
protection determines the permissions.
and like this in the History.610 file:
- Added option -k/--keep-permissions on AtheOS, BeOS, Unix, and VMS, to
control how archived permissions or protections are determined on
extracted files and directories. The default behavior has changed
from previous UnZip versions. Now, by default, on AtheOS, BeOS, and
Unix, the current umask value is applied (to the normal
user/group/other permissions).
Bruno
