Hosting Provided By

Re: Automatic processing of d-i byhand uploads

From: Anthony Towns <aj(at)azure.humbug.org.au>
Date: Sun Oct 28 2007 - 02:17:13 EDT

On Sun, Oct 28, 2007 at 01:49:32AM -0400, Joey Hess wrote:
> Anthony Towns wrote:
> > To get it working for d-i uploads, I need a very reliable script that
> > will be invoked as:
> Well, I stopped when I discovered the tar on ries is still apparently
> vulnerable to #439335. I don't feel it's possible to make a very
> reliable script with an insecure tar..
> (Does dak ever unpack other tarballs? Just curious, I swear... ;-)

Not using tar directly except when specifically distrusting the filenames in the tar file...

Can't you just test for any absolute file names and error out? I was more worried about having a symlink x->/etc, followed by an x/passwd file or similar, which is apparently caught, but...

The python tarfile module (or similar) might be a better bet.

Cheers,
aj

-- 
To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: Digital signature

Received on Sun Oct 28 02:20:05 2007

This message: [ Message body ]
Next message: Martin Michlmayr: "Re: Strange installation order"
Previous message: Gordon Farquharson: "Bug#448325: Incorrect installation order on NSLU2 with main-menu_1.22"
In reply to: Joey Hess: "Re: Automatic processing of d-i byhand uploads"
Next in thread: Frans Pop: "Re: Automatic processing of d-i byhand uploads"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 03:12:34 EDT