-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent recursive directories in the tarballs #958
Comments
There's logic in https://github.com/JuliaIO/Tar.jl/blob/853aa7f1c259a15b42c1ff09b016b3eb2e9e9db4/src/extract.jl#L89-L170 to correctly handle all cases; it could maybe be extracted or reused somehow. It's impressively tricky to detect all the ways that symlinks can create circularity or escape from the archive. |
For the record, a mechanism to detect recursion would be useful also for #952 |
There are two basic kinds of circularity to worry about:
You can capture both of these as:
I worked with paths in Tar.jl because that's what I already had a tree of, but it's much easier if you build a tree representation first. So you'd want to build a tree where each entry is either a file, a directory or a symlink. If you split a symlink on slashes into a vector of parts, you can then resolve the symlink target by walking up and down the tree. Specifically: If you do all of that, then there's the problem of copy order, which is itself pretty tricky, but isn't necessary for just checking an archive. All this is complicated enough and hard enough to get right that it should maybe be made into a standalone utility package. |
Actually, I just came up with a new, previously-undetected way to create uncopiable symlinks 😂
And indeed, in testing, this hangs |
https://github.com/JuliaBinaryWrappers/Poppler_jll.jl/releases/download/Poppler-v0.87.0%2B1/Poppler.v0.87.0.x86_64-w64-mingw32-cxx11.tar.gz has a recursive
bin/
directory. No idea what we can do, but it's probably a good to have a mechanism to avoid this.The text was updated successfully, but these errors were encountered: