bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#25611: 26.0.50; dired-do-compress unpacks .tgz files


From: Oleh Krehel
Subject: bug#25611: 26.0.50; dired-do-compress unpacks .tgz files
Date: Mon, 6 Mar 2017 11:53:15 +0100

Hi Mike,

> It occurs to me that this could be considered a security vulnerability.
> If the .tgz file is (unintentionally) unpacked in $HOME and contains a
> .ssh/authorized_keys, that could give an attacker access to the victim's
> account.

The file is uncompressed into a directory with the same name. So the
file would have to be ~/.ssh.tar.gz. If a user presses "Z" on that
file, it's pretty clear what will happen, same as with "C" on e.g. an
`authorized_keys' file somewhere.

regards,
Oleh





reply via email to

[Prev in Thread] Current Thread [Next in Thread]