On 14 July 2013 20:42, Nick <suckless-...@njw.me.uk> wrote: > Quoth Galos, David: >> Thanks in large part to your information about how you invoke tar, I >> believe I have come up with a decent solution. I also was able to >> find the structified version of tar I had worked on in the past. > > I'd be inclined to check for and filter out leading .. and / > characters, to avoid tarballs doing unexpectedly evil things.
I think all security onus for stuff like that should be on the user -- they can still do unexpectedly evil things either way (even stripping .. and /). It should be the user's responsibility to verify what will happen when a tarball is extracted using -t.
