This is related to a patch I posted on dev@, and plan to improve, so hopefully it fits in to what you planned for hackers@. If not do berate me.
Quoth Dimitris Papastamos: > On Mon, Apr 27, 2015 at 08:12:42PM +0100, Nick wrote: > > One thing the patch doesn't cover is an archive using a symlink to > > somewhere like ../../ and then putting a file in symlink/newfile > > (hence sending it to ../../newfile). I only thought of that when > > reading the bsdtar manpage[0]. > > > > I'm not sure what the best behaviour is in that case. Some options: > > ... > > 3) Refuse to create any file following a symlink (this is the > > default behaviour of bsdtar) > > ... > > I am not sure what the proper approach is. Option 3) sounds pretty > safe as a starting point. Quoth Truls Becken: > +1 for option 3) > Why would anybody want to trust somebody that creates malicious > archives like that? > A symlink in an archive should just be a symlink, nothing more. Yeah. I didn't like option 3 initially, as I imagined archives being created which included lots of complex symlink stuff that was important to replicate, but actually any non-malicious tar should use a canonical file path, and not a symlink one, obviously. I should double-check our tar implementation does that. But yes, I shall write up a patch implementing option 3 shortly. Sorry for the delay. It's nice, once this is done our tar should be the most secure implementation there is. As I mentioned previously, bsdtar supposedly does option 3, but the code is littered with FIXMEs, so I'm not convinced that it is solid. But with this in place, and the previous stuff stripping path traversal stuff, all the attacks I know of are nicely defended against. Can any creative thinkers imagine other ways to screw someone using a tar archive? Nick
signature.asc
Description: Digital signature