----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70142/#review213518 -----------------------------------------------------------
3rdparty/stout/include/stout/archiver.hpp Line 43 (original), 43 (patched) <https://reviews.apache.org/r/70142/#comment299465> `libarchive` supports the `ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS` flag: https://github.com/libarchive/libarchive/blob/f77e06a338a9b5414444de406da5a03f0bda8c00/libarchive/archive.h#L692-L693 Should we use this flag by default as well? - Andrei Budnik On March 6, 2019, 7:35 p.m., Joseph Wu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70142/ > ----------------------------------------------------------- > > (Updated March 6, 2019, 7:35 p.m.) > > > Review request for mesos, Andrei Budnik, Gilbert Song, and Greg Mann. > > > Bugs: MESOS-9610 > https://issues.apache.org/jira/browse/MESOS-9610 > > > Repository: mesos > > > Description > ------- > > This enables a security flag provided by libarchive, which disallows > extraction of archives that contain '..' in hardlinks or files. > Without this flag, it is possible to provide the archiver with > an archive and overwrite arbitrary files in the user's parent directory > or further up. > > > Diffs > ----- > > 3rdparty/stout/include/stout/archiver.hpp > 2447797ee05f48ab6d8b046d862aede8dec36bea > 3rdparty/stout/tests/archiver_tests.cpp > cdf24a5d9accb1082e8bf3809c865a92d93e63d8 > > > Diff: https://reviews.apache.org/r/70142/diff/1/ > > > Testing > ------- > > ``` > cmake --build . --target stout-tests > 3rdparty/stout/tests/stout-tests --gtest_filter="*Archiver*" > ``` > > > Thanks, > > Joseph Wu > >
