On Tue, Jul 16, 2013 at 08:58:49AM +0100, Nick wrote: > Quoth Chris Down: > > On 14 July 2013 20:42, Nick <suckless-...@njw.me.uk> wrote: > > > I'd be inclined to check for and filter out leading .. and / > > > characters, to avoid tarballs doing unexpectedly evil things. > > > > I think all security onus for stuff like that should be on the user -- > > they can still do unexpectedly evil things either way (even stripping > > .. and /). It should be the user's responsibility to verify what will > > happen when a tarball is extracted using -t. > > What other evil things can tar creators do? >
Create a tar that contains itself? > Going back to the workflow question, then, who here always checks > the list of all files in an archive to check that there's nothing > with a suspicious path? I know I don't, because I can trust gnu tar > to check for me, and that's a Good Thing. I do partially. That is, I usually list the archive before unpacking, but I don't visually scan each and every entry, because, for one, I use st, so no scrollback buffer (I refuse to run a terminal multiplexer in an environment, were it is never going to see more than one terminal), and the other is laziness. (I am going to assume that the tarball I regretfully had to download from the FSF's main FTP site actually contains what it says on the tin. Speaking of which, is anyone up for some suckless binutils?) Ciao, Markus
