On Jul 16, 2013 3:58 AM, "Nick" <[email protected]> wrote: > > Quoth Chris Down: > > On 14 July 2013 20:42, Nick <[email protected]> wrote: > > > I'd be inclined to check for and filter out leading .. and / > > > characters, to avoid tarballs doing unexpectedly evil things. > > > > I think all security onus for stuff like that should be on the user -- > > they can still do unexpectedly evil things either way (even stripping > > .. and /). It should be the user's responsibility to verify what will > > happen when a tarball is extracted using -t. > > What other evil things can tar creators do? > I dislike archives that don't extract into there own directory. Like Chris said -t
> Going back to the workflow question, then, who here always checks > the list of all files in an archive to check that there's nothing > with a suspicious path? I know I don't, because I can trust gnu tar > to check for me, and that's a Good Thing. >
