Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security improvement: open files with O_EXCL for writing #147

Open
vtjnash opened this issue Oct 25, 2022 · 3 comments · May be fixed by #148
Open

security improvement: open files with O_EXCL for writing #147

vtjnash opened this issue Oct 25, 2022 · 3 comments · May be fixed by #148

Comments

@vtjnash
Copy link

vtjnash commented Oct 25, 2022
edited

When opening files for writing, this package probably never wants to overwrite an existing file. This can be prevented (including any race conditions) by setting the O_CREAT O_EXCL flag when opening files for writing. This would potentially avoid any security vulnerabilities being discovered by package users resulting from malicious tar files overwriting important files.
@StefanKarpinski StefanKarpinski linked a pull request Oct 25, 2022 that will close this issue
Open
@vtjnash vtjnash changed the title security improvement: open files with O_CREAT for writing security improvement: open files with O_EXCL for writing Oct 25, 2022
@vtjnash
Copy link
Author

vtjnash commented Oct 25, 2022

ah, wait, sorry, the flag is O_CREAT | O_EXCL

@StefanKarpinski
Copy link
Member

Do we have an open flag for that?

@StefanKarpinski
Copy link
Member

Doesn't seem like we do. I guess I can use an internal open method, but maybe better to add an exclusive flag to the open function instead and then use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

extract: use open(create=true) when extracting files JuliaIO/Tar.jl
2 participants
@StefanKarpinski @vtjnash