Hi Cedric, thanks for the report!
On Monday, June 5, 2017 5:34:58 PM CEST Cedric Buissart wrote:
> Looking at cpio, i found what seems to be a way to bypass the
> --no-absolute-filenames option, which supposedly prevents data to be
> written outside of the current folder.
This sounds like real issue, according to 'info cpio':
'--no-absolute-filenames'
[*note copy-in::,*note copy-out::]
Create all files relative to the current directory in copy-in mode,
even if they have an absolute file name in the archive.
> The very naive patch attached makes use of safer_name_suffix() to sanitize
> symlink's value.
The patch implements uncommon behavior among archivers. Extracting the
absolute symlink to directory _is not_ an issue (it is completely safe
operation); the following extraction of files through this symlink *might
be* an issue. More importantly, valid extraction of absolute symlink is
often really desired even with --no-absolute-filenames.
In other words and IMO, if we were about to fix this issue - we should only
refuse to extract files through symlinks.
Pavel
