Martin Cracauer wrote: > The security implications are easy to understand and very well in line > with other Unix features. Unpacking an tar or zip file has a lot more > potential to do damage than this (because the unpacking can also > contains permissions, you can put a *.cgi with a+x just for starters). > > How come nobody demands that the 3 files that come out of "foo.tar" > are named foo.1, foo.2 and foo.3 instead of bar.c, bar.h and Makefile? The situation isn't quite identical (if you unpack a tarball, you should get the same result every time, while a malicious server could be used for an adaptive attack), but your point is still quite reasonable. I withdraw my objection to this feature, as long as the manual page contains appropriate warnings about not using this flag if there are any files in the current working directory which you don't want to have overwritten. Colin PercivalReceived on Sat Dec 31 2005 - 10:44:07 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:50 UTC