Re: [dev] Miscellaneous sbase issues

2015-05-05 Thread Truls Becken
+1 for option 3) Why would anybody want to trust somebody that creates malicious archives like that? A symlink in an archive should just be a symlink, nothing more. -Truls

Re: [dev] Miscellaneous sbase issues

2015-05-05 Thread Dimitris Papastamos
On Mon, Apr 27, 2015 at 08:12:42PM +0100, Nick wrote: > One thing the patch doesn't cover is an archive using a symlink to > somewhere like ../../ and then putting a file in symlink/newfile > (hence sending it to ../../newfile). I only thought of that when > reading the bsdtar manpage[0]. > > I

Re: [dev] Miscellaneous sbase issues

2015-04-27 Thread Nick
Quoth Nick: > Quoth Dimitris Papastamos: > > Some things that need to be done for tar: > > > > ... > > - Strip leading / from filenames and dangerous things like ../../ etc. > > OK, attached is a patch that does that. I think it covers all the > bases. One thing the patch doesn't cover is an a

Re: [dev] Miscellaneous sbase issues

2015-04-27 Thread FRIGN
On Sun, 26 Apr 2015 18:24:18 -0700 Michael Forney wrote: Hi Michael, > printf > -- > Ignores flag characters '#', '0', '-', ' ', and '+', but is labeled as > POSIX compliant and complete, so this is presumably unintentional. > > "git am" breaks without this functionality. I fixed this in t

Re: [dev] Miscellaneous sbase issues

2015-04-27 Thread Nick
Quoth Dimitris Papastamos: > Some things that need to be done for tar: > > ... > - Strip leading / from filenames and dangerous things like ../../ etc. OK, attached is a patch that does that. I think it covers all the bases. >From b5acf1e9254080c2f283c623f59e412cdb29939a Mon Sep 17 00:00:00 200

Re: [dev] Miscellaneous sbase issues

2015-04-27 Thread Dimitris Papastamos
On Sun, Apr 26, 2015 at 06:24:18PM -0700, Michael Forney wrote: > tar > --- > Since fb1595a69c091a6f6a9303b1fab19360b876d114, tar calls remove(3) on > directories before extracting them. I'm not sure that it is reasonable > for tar to do this because users may want to re-extract archives, or > extr

Re: [dev] Miscellaneous sbase issues

2015-04-27 Thread koneu
On April 27, 2015 3:24:18 AM CEST, Michael Forney wrote: >Hi suckless, > >I came across some issues in sbase whose solution wasn't immediately >apparent: > >printf >-- >Ignores flag characters '#', '0', '-', ' ', and '+', but is labeled as >POSIX compliant and complete, so this is presumably u

[dev] Miscellaneous sbase issues

2015-04-26 Thread Michael Forney
Hi suckless, I came across some issues in sbase whose solution wasn't immediately apparent: printf -- Ignores flag characters '#', '0', '-', ' ', and '+', but is labeled as POSIX compliant and complete, so this is presumably unintentional. "git am" breaks without this functionality. tar ---