[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#149454: uudecode bug (?)
|
From: |
Paul Eggert |
|
Subject: |
Re: Bug#149454: uudecode bug (?) |
|
Date: |
Tue, 9 Jul 2002 05:15:49 -0700 (PDT) |
> From: martin f krafft <address@hidden>
> Date: Tue, 9 Jul 2002 13:29:13 +0200
>
> why is it not a security bug if uudecode does follow symlinks
The same reason it is not a security bug if "sh" does follow symlinks.
You can't trust shar files; nor can you trust uuencoded files. If you
are given an untrustworthy file to uudecode and do not wish to inspect
it, you should always invoke uudecode with the -o option.
POSIX 1003.1-2001 requires that uudecode must overwrite existing files
rather than removing them. This includes following symbolic links to
existing files. For details, please see:
<http://www.opengroup.org/onlinepubs/007904975/utilities/uuencode.html>.
POSIX places no such restriction on gzip or on tar, so they are not
required to behave this way.
- Re: Bug#149454: uudecode bug (?), martin f krafft, 2002/07/09
- Re: Bug#149454: uudecode bug (?), Santiago Vila, 2002/07/09
- Re: Bug#149454: uudecode bug (?), martin f krafft, 2002/07/09
- Re: Bug#149454: uudecode bug (?), Andreas Schwab, 2002/07/09
- Re: Bug#149454: uudecode bug (?), martin f krafft, 2002/07/09
- Re: Bug#149454: uudecode bug (?),
Paul Eggert <=
- Re: Bug#149454: uudecode bug (?), martin f krafft, 2002/07/09
- Re: Bug#149454: uudecode bug (?), Paul Eggert, 2002/07/09
- Re: Bug#149454: uudecode bug (?), martin f krafft, 2002/07/10
- Re: Bug#149454: uudecode bug (?), Paul Eggert, 2002/07/10