Date: Fri, 9 Jan 2015 21:18:29 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: Directory traversals in cpio and friends? * Alexander Cherepanov <cherepan@...me.ru>, 2015-01-08, 02:43: >The results of tests of tar and cpio archives against various commands >follow. '=' means that the corresponding file is not extracted, 'x' >means that it is extracted. IMHO secure configuration should list >three '=', insecure configuration should list three 'x', everything >else is inconsistent. The list created by the attached scripts. > >=== tar === >abs rel link cmd >= = = tar -x >x x x tar -x -P >= = = bsdtar -x >x x x bsdtar -x -P >= x x paxtar -x >x x x paxtar -x -P >x x x pax -r Let me add: = = x star -x = = = star -x -secure-links x x x star -x -/ -.. (tested with star 1.5.3) -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ