[jira] [Assigned] (MESOS-9646) Look into enabling the libarchive extraction flag ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS by default

JIRA Mon, 08 Apr 2019 09:50:19 -0700


     [ 
https://issues.apache.org/jira/browse/MESOS-9646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gastón Kleiman reassigned MESOS-9646:
-------------------------------------

    Assignee: Benno Evers

> Look into enabling the libarchive extraction flag 
> ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS by default
> ---------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-9646
>                 URL: https://issues.apache.org/jira/browse/MESOS-9646
>             Project: Mesos
>          Issue Type: Improvement
>    Affects Versions: 1.7.0, 1.8.0
>            Reporter: Joseph Wu
>            Assignee: Benno Evers
>            Priority: Major
>              Labels: foundations, mesosphere
>
> The libarchive source provides the following flag: 
> {code}
> /* Default: Do not try to guard against extracts redirected by symlinks. */
> /* Note: With ARCHIVE_EXTRACT_UNLINK, will remove any intermediate symlink. */
> #define       ARCHIVE_EXTRACT_SECURE_SYMLINKS (0x0100)
> {code}
> https://github.com/libarchive/libarchive/blob/master/libarchive/archive.h#L672-L674
> We should check if the default behavior is unsecure (i.e. allowing a fetched 
> artifact to affect files outside the sandbox).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (MESOS-9646) Look into enabling the libarchive extraction flag ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS by default

Reply via email to