Andreas J. Koenig wrote:
>>>>>> On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern <[EMAIL
>>>>>> PROTECTED]> said:
>
> > Now that the CPAN shells and archiving modules are handling it at their
> end, I
> > think the PAUSE filter should be removed. It's not PAUSE's job to be the
> code
> > police.
>
> It is 'tar xzf CPANFILE.tar.gz' which is exploitable. No CPAN shell
> and archiving module involved.
What I was expressing is that the CPAN shell can do the twiddling to strip
flags at the point of extraction, rather than PAUSE stopping it at the gate.
Archive::Tar already does this (see $Archive::Tar::INSECURE_EXTRACT_MODE).
The important distinction being that it's done under the user's control and
not by PAUSE fiat. PAUSE shouldn't be playing security nanny or any other
nanny.
It's not even necessary or effective. Because there's already a perfectly
sensible and universal way to avoid this problem and that's to set your umask
to something sensible. Then no matter what the archive's internal permissions
are set to they'll be stripped when it's extracted.
Most systems already do this by default, because it's good security practice.
If you don't have a umask set, that's a basic vulnerability *at the user's
end*. No amount of hand-holding from CPAN will protect the user without a
umask. Some other system will ship a world writable file or a setuid
executable or something. Then you're hosed all over again.
We are trying to fix a basic, wide-spread, user-end security hole, one that is
not at all specific to Perl, at too high a level and too specific a system.
It's like plugging one hole in a screen door.
--
Insulting our readers is part of our business model.
http://somethingpositive.net/sp07122005.shtml
