Currently https://wiki.call-cc.org/eggref/5/chicken-doc instructs users
to run:
curl https://3e8.org/pub/chicken-doc/chicken-doc-repo-5.tgz | sudo tar zx
in a directory that's often located within /usr. This is not ideal from
a security perspective, especially given that that the remote file
changes daily so some users can be expected to repeat the command lots
of times.
An immediate safeguard is to edit the wiki page to add the verbose flag
to the suggested tar command, causing it to show the pathnames of all
the files it extracts.
For a proper fix, could chicken-doc be modified to download the tar
file, sanity-check its contents, and unpack it safely into the user's
home directory instead?
Alternatively, if the documentation is shipped in some kind of file
format with an index for fast lookup, it doesn't need to be extracted
into multiple files at all. There are reasonably simple databases like
CDB and Berkeley DB for jobs like this.
-l
