ppkarwasz commented on PR #428: URL: https://github.com/apache/commons-codec/pull/428#issuecomment-4230186257
> If normalizing `.` has 0% chance of malicious side-effects (symbolic link?) then we should normalize it. Isn't that the case? This class doesn't write anything to disk nor it follows symlinks. The `.` and `..` path segments are of no concern for the security of this class. The reason I don't want `..` in path names is that it would add complexity for a case that doesn't seem legitimate. An archive entry like `foo/../bar` or `../../etc/passwd` looks more like a malicious entry. GNU TAR warns about such entries, this API will throw if a user passes such an entry. I allowed the presence of `.` in https://github.com/apache/commons-codec/pull/428/commits/b30589571bdab54cbf54f8a3a433c5644d43ac5e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
