bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rx-1.5 tarfile uses ".." for directory name

From: Tom Lord
Subject: Re: rx-1.5 tarfile uses ".." for directory name
Date: Mon, 14 Oct 2002 21:53:33 -0700 (PDT) 
You must have gotten 1.5 from GNU.

Don't use that version.  I don't know why they still distribute it.

The version in libhackerlab, from ftp.regexps.com is more useful.

-t

   Date: Mon, 14 Oct 2002 21:43:29 -0700 (PDT)
   From: "Jeremy C. Reed" <address@hidden>
   Content-Type: TEXT/PLAIN; charset=US-ASCII
   X-UIDL: F=B"!HiT!!^b<"!Y3N!!

   The old rx-1.5 tarfile contains:

   -rw-r--r-- lord/tlord    38237 Jan 15 12:31 1997 rx-1.5/rx/../doc/rx.texi
   -rw-r--r-- lord/tlord    36629 Jan 15 12:31 1997 rx-1.5/rx/../doc/rx.info
   -rw-r--r-- lord/tlord   146156 Nov 21 21:49 1996 rx-1.5/rx/../doc/texinfo.tex

   Instead of "rx-1.5/doc/".

   Some modern versions of tar (like GNU alpha tar) don't accept ".." in the
   filename, because users may unknowingly overwrite files.

   For example, tar may say:

           /usr/bin/tar: rx-1.5/rx/../doc/rx.texi: Member name contains `..'
           /usr/bin/tar: rx-1.5/rx/../doc/rx.info: Member name contains `..'
           /usr/bin/tar: rx-1.5/rx/../doc/texinfo.tex: Member name contains `..'
           /usr/bin/tar: Error exit delayed from previous errors

   In this case, it doesn't seem like any possible security issue, but
   inconvenient. Feel free to share an legitimate examples of allowing ".."
   in a tar file filename.

   Can you consider remaking rx-1.5 (as rx-1.5.1, for example) without ".."?

   (By the way, I emailed this email address as it is noted in the
   rx-1.5/ANNOUNCE file. I also bcc'd to Tom Lord.)

   Thanks,

      Jeremy C. Reed
      http://www.isp-faq.com/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]