Joseph Wu created MESOS-9646: -------------------------------- Summary: Look into enabling the libarchive extraction flag ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS by defaul Key: MESOS-9646 URL: https://issues.apache.org/jira/browse/MESOS-9646 Project: Mesos Issue Type: Improvement Affects Versions: 1.7.0, 1.8.0 Reporter: Joseph Wu
The libarchive source provides the following flag: {code} /* Default: Do not try to guard against extracts redirected by symlinks. */ /* Note: With ARCHIVE_EXTRACT_UNLINK, will remove any intermediate symlink. */ #define ARCHIVE_EXTRACT_SECURE_SYMLINKS (0x0100) {code} https://github.com/libarchive/libarchive/blob/master/libarchive/archive.h#L672-L674 We should check if the default behavior is unsecure (i.e. allowing a fetched artifact to affect files outside the sandbox). -- This message was sent by Atlassian JIRA (v7.6.3#76005)