On Sun, Oct 28, 2007 at 01:49:32AM -0400, Joey Hess wrote: > Anthony Towns wrote: > > To get it working for d-i uploads, I need a very reliable script that > > will be invoked as: > Well, I stopped when I discovered the tar on ries is still apparently > vulnerable to #439335. I don't feel it's possible to make a very > reliable script with an insecure tar.. > (Does dak ever unpack other tarballs? Just curious, I swear... ;-)
Not using tar directly except when specifically distrusting the filenames in the tar file... Can't you just test for any absolute file names and error out? I was more worried about having a symlink x->/etc, followed by an x/passwd file or similar, which is apparently caught, but... The python tarfile module (or similar) might be a better bet. Cheers, aj
signature.asc
Description: Digital signature
