I once filed a bug for poorly packaged software that shipped as a tarbomb that chowned/chmoded "."... Almost locked me out of a server by chowning /root, thus disabling .ssh/authorized_keys. http://www.theregister.co.uk/2018/06/05/zip_slip_bug_archives/ …
-
Bad developer but more importantly, WHY DOES TAR ALLOW THAT BY DEFAULT?!?!?!?! (according to
@11rcombs)
¯\_(ツ)_/¯ official upstream recommendation is to always untar into an empty directory, where neither that directory nor its parent are accessible to other users. Yeah. https://www.gnu.org/software/tar/manual/html_chapter/tar_10.html …
-
-
Guess I need to add an alias to tar for --no-overwrite-dir. The sad thing is since tar is so widely used you just KNOW that a lot of wrapper scripts using it are probably unaware of this. Sane defaults, why are they so hard. :(
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.