Quoth Chris Down: > On 14 July 2013 20:42, Nick <suckless-...@njw.me.uk> wrote: > > I'd be inclined to check for and filter out leading .. and / > > characters, to avoid tarballs doing unexpectedly evil things. > > I think all security onus for stuff like that should be on the user -- > they can still do unexpectedly evil things either way (even stripping > .. and /). It should be the user's responsibility to verify what will > happen when a tarball is extracted using -t.
What other evil things can tar creators do? Going back to the workflow question, then, who here always checks the list of all files in an archive to check that there's nothing with a suspicious path? I know I don't, because I can trust gnu tar to check for me, and that's a Good Thing.
