[Toybox] TT.cwd unused in tar?

Rob Landley rob at landley.net
Tue Mar 26 17:01:00 PDT 2019


On 3/26/19 5:00 PM, enh via Toybox wrote:
> (this is the background to the xabspath patch i just sent out...)
> 
> i assume there's a future patch that actually _reads_ TT.cwd, so that
> we won't want https://android-review.googlesource.com/c/platform/external/toybox/+/933053
> (pasted below for convenience):
> 
> tar: delete unused variable.

Yeah, it's in my tree now but not connected up yet.

The idea is to xabspath() each file we're extracting and each hardlink we're
creating, and if it's not under the cwd we started in error_msg() and move on.
That way not only is all the .. nonsense avoided, but symlink attacks (create
symlink in current dir, create file under symlink) too.

Rob



More information about the Toybox mailing list