bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rx-1.5 tarfile uses ".." for directory name

From: Jeremy C. Reed
Subject: rx-1.5 tarfile uses ".." for directory name
Date: Mon, 14 Oct 2002 21:43:29 -0700 (PDT) 
The old rx-1.5 tarfile contains:

-rw-r--r-- lord/tlord    38237 Jan 15 12:31 1997 rx-1.5/rx/../doc/rx.texi
-rw-r--r-- lord/tlord    36629 Jan 15 12:31 1997 rx-1.5/rx/../doc/rx.info
-rw-r--r-- lord/tlord   146156 Nov 21 21:49 1996 rx-1.5/rx/../doc/texinfo.tex

Instead of "rx-1.5/doc/".

Some modern versions of tar (like GNU alpha tar) don't accept ".." in the
filename, because users may unknowingly overwrite files.

For example, tar may say:

        /usr/bin/tar: rx-1.5/rx/../doc/rx.texi: Member name contains `..'
        /usr/bin/tar: rx-1.5/rx/../doc/rx.info: Member name contains `..'
        /usr/bin/tar: rx-1.5/rx/../doc/texinfo.tex: Member name contains `..'
        /usr/bin/tar: Error exit delayed from previous errors

In this case, it doesn't seem like any possible security issue, but
inconvenient. Feel free to share an legitimate examples of allowing ".."
in a tar file filename.

Can you consider remaking rx-1.5 (as rx-1.5.1, for example) without ".."?

(By the way, I emailed this email address as it is noted in the
rx-1.5/ANNOUNCE file. I also bcc'd to Tom Lord.)

Thanks,

   Jeremy C. Reed
   http://www.isp-faq.com/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]