On 3/26/19 5:00 PM, enh via Toybox wrote: > (this is the background to the xabspath patch i just sent out...) > > i assume there's a future patch that actually _reads_ TT.cwd, so that > we won't want > https://android-review.googlesource.com/c/platform/external/toybox/+/933053 > (pasted below for convenience): > > tar: delete unused variable.
Yeah, it's in my tree now but not connected up yet. The idea is to xabspath() each file we're extracting and each hardlink we're creating, and if it's not under the cwd we started in error_msg() and move on. That way not only is all the .. nonsense avoided, but symlink attacks (create symlink in current dir, create file under symlink) too. Rob _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net