Date: Fri, 9 Jan 2015 21:18:29 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: Directory traversals in cpio and friends? * Alexander Cherepanov <cherepan@...me.ru>, 2015-01-08, 02:43: >The results of tests of tar and cpio archives against various commands >follow. '=' means that the corresponding file is not extracted, 'x' >means that it is extracted. IMHO secure configuration should list >three '=', insecure configuration should list three 'x', everything >else is inconsistent. The list created by the attached scripts. > >=== tar === >abs rel link cmd >= = = tar -x >x x x tar -x -P >= = = bsdtar -x >x x x bsdtar -x -P >= x x paxtar -x >x x x paxtar -x -P >x x x pax -r Let me add: = = x star -x = = = star -x -secure-links x x x star -x -/ -.. (tested with star 1.5.3) -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.