Joseph Wu created MESOS-9646:
--------------------------------
Summary: Look into enabling the libarchive extraction flag
ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS by defaul
Key: MESOS-9646
URL: https://issues.apache.org/jira/browse/MESOS-9646
Project: Mesos
Issue Type: Improvement
Affects Versions: 1.7.0, 1.8.0
Reporter: Joseph Wu
The libarchive source provides the following flag:
{code}
/* Default: Do not try to guard against extracts redirected by symlinks. */
/* Note: With ARCHIVE_EXTRACT_UNLINK, will remove any intermediate symlink. */
#define ARCHIVE_EXTRACT_SECURE_SYMLINKS (0x0100)
{code}
https://github.com/libarchive/libarchive/blob/master/libarchive/archive.h#L672-L674
We should check if the default behavior is unsecure (i.e. allowing a fetched
artifact to affect files outside the sandbox).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
