|
|
|
|
|
|
by benmmurphy
3195 days ago
|
|
|
the second 'precaution' fix looks actually important because it stops an archive from a following a symlink it creates that would allow it to write outside of the package directory. my thoughts are: before the precaution fix this was a legal archive: $crate_name-$crate_version/outside -> ../
$crate_name-$crate_version/outside/$other_crate-$other-version/blah/blah
then you have this code:https://github.com/rust-lang/cargo/pull/4493/files#diff-ce3a... tar.unpack(dst.parent().unwrap())?;
so while Archive#unpack protects you against following symlinks outside of `dst` (which is a really good default!) it doesn't protect you from following symlinks inside of `dst` so presumably you can use the symlink trick to overwrite other packages.i haven't tested this so this could be wrong :/ like maybe archive by default doesn't create symlinks or reorders the extraction so symlinks are always created last. |
|
|