Malicious archives may cause problems #8

Open
kbrint opened this Issue Sep 30, 2012 · 0 comments

Projects

None yet

1 participant

@kbrint
Contributor
kbrint commented Sep 30, 2012

Leading / is prohibited, but an archive containing this file could cause problems on extract:

../../../../../../../../../../../../Users/you/.ssh/authorized_keys

Or even:

dir1
dir1/somefile
dir1/dir2 
dir1/dir2/../../../../../../../../../../../../Users/you/.ssh/authorized_keys

Any path containing ".." should be prohibited just like those starting with "/"

Probably something like this... not sure if this is robust enough:

for dir := range strings.Split(path, os.PathSeparator) {
  if dir == ".." {
    barf
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment