Arun Isaac <arunis...@systemreboot.net> skribis: >>> * Proposal >>> >>> zip bomb (zip archives without a top level directory) handling should >>> not be done in `url-fetch/zipbomb'. It should be implemented as a >>> boolean argument to the `unpack' phase. >> >> I guess the Boolean argument would determine whether to do (chdir >> (first-subdirectory ".")), right? >> >> Unfortunately that’s not enough for the cases where an origin has >> patches or a snippet, because that code also assumes there’s only one >> subdirectory (see ‘patch-and-repack’ in (guix packages)). > > Ah, I didn't think of that. > >> Perhaps the right fix would be to fix ‘patch-and-repack’ somehow. > > Unfortunately, I don't know what that fix would look like. :-( Perhaps > `patch-and-repack' should somehow autodetect whether the archive is a > bomb or not. Do you think that is a good solution? It sounds > overcomplicated to me.
Yeah, I don’t really know either. It could certainly detect that unpacking created more than one file, and maybe it could automatically create a directory and move everything there. It’s a bit complicated for the occasional tarbomb, indeed… > Or, we can just let this matter rest as it is not too important. Maybe! Thanks, Ludo’.
