Comments (11)
mrook
commented on May 24, 2024
2
Good idea, I'll add that.
from archive_tar.
mrook
commented on May 24, 2024
Yeah that sounds good to me, a PR is appreciated!
from archive_tar.
mortenson
commented on May 24, 2024
from archive_tar.
mrook
commented on May 24, 2024
Merged the PR - I'll make sure to tag a new release later this week.
from archive_tar.
mortenson
commented on May 24, 2024
@mrook Thank you!
from archive_tar.
mrook
commented on May 24, 2024
https://github.com/pear/Archive_Tar/releases/tag/1.4.9
from archive_tar.
klausi
commented on May 24, 2024
The Drupal security advisory is saying that Archive_Tar had a security release: https://www.drupal.org/sa-core-2019-012
But that is not the case I think? Symbolic links are still processed by default, so users are still in danger if they use this library the same way. Should the release notes warn users to change their library usage?
from archive_tar.
mortenson
commented on May 24, 2024
@klausi I'm not sure if you mean the Drupal release notes or the Archive_Tar release notes - but for Drupal, core code that wraps Archive_Tar was updated to disallow symlinks. Drupal is not responsible for how users use third party dependencies directly.
I think it was incorrect for the SA to say that the Archive_Tar release was "security update" - allowing symlinks is a feature of Archive_Tar and not a security flaw, so the update really added an optional security enhancement for applications that do not want to support symlinks.
from archive_tar.
klausi
commented on May 24, 2024
I mean the Drupal release notes which say "The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations."
But Archive_Tar did not mention that this is a security update in the release notes at https://pear.php.net/package/Archive_Tar/download/1.4.9
Allowing symlinks is a very dangerous feature for anybody that uses Archive_Tar on attacker supplied archive files.
from archive_tar.
mortenson
commented on May 24, 2024
@klausi It was not a security update of Archive_Tar, it was an optional security feature addition. I agree that the release notes could have told people who untar untrusted data to use the new flag, however. Not sure if that's possible retroactively.
from archive_tar.
greggles
commented on May 24, 2024
I've updated the Drupal security advisory page to try to clarify what happened.
I think it could be a good idea for the Archive_Tar library to add some help text about being cautious in enabling symlinks for user-generated content.
from archive_tar.
Related Issues (12)
- PHP 7.4 - Archive_Tar->_readHeader() throws deprecations HOT 3
- This line doesn't do anything HOT 2
- mkdir default mask HOT 5
- Throws array access of type bool error in chroot jail
- Multiple vulnerabilities through filename manipulation (CVE-2020-28948 and CVE-2020-28949) HOT 3
- relative symlinks failing(Out-of path file extraction) with new commit cde460582ff389404b5b3ccb59374e9b389de916 HOT 7
- Relative symlinks with parent folder reference inside archive are rejected as out-of-path HOT 1
- Confirm that 1.4.13 was not a security release? HOT 11
- Composer version 1.4.13 appears to be missing security patch HOT 2
- Clarify the licensing HOT 1
- PHP 8.1 compatibility error: Since PHP 7.0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current value. The parameter "$trace" was changed on line 69. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from archive_tar.