|
| From: | Paul Eggert |
| Subject: | Re: sharutils: Directory traversal (security issue) in uudecode |
| Date: | Sun, 27 Nov 2022 09:30:11 -0800 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 |
On 2022-11-27 07:57, Hanno Böck wrote:
I want to report a security issue in the uudecode commandline tool that is part of sharutils.
POSIX requires the current behavior and it's been that way for ages without actual problems being reported. So one possibility is to merely document the situation.
Another possibility is to do as GNU 'tar' does, and warn about dubious file names starting with '/' or '~', while stripping leading prefixes (including anything ending in ".."), while retaining the current behavior if POSIXLY_CORRECT is set. uudecode could steal tar's code to do that.
| [Prev in Thread] | Current Thread | [Next in Thread] |