You may want to consider adding some checks in here to make sure this can't be exploited. This should use -T and the incomming arguments should be laundered (see Untaint.pm, and perlsec). By laundering the incomming arg, you can make sure that the incomming file has a .tar/.gz extention, and ends there. You wouldn't want someone passing an arg of 'foo.tar.gz; echo <badness> > trojan' or 'foo.tar.gz; rm -rf ./'
I know it isn't a CGI, but making it somewhat safe is a good idea.
Just a thought.
Cheers,
KM | [reply] |
Some tarballs dont create new directories.
This can be bad news.
I recently did a rm -rf `tar tvfz blah.tgz` on a tarball
that had contained ./ and had made a mess in the cwd
Luckily, the "v" saved me, as I assume rm -rf ./ would be pretty bad.
In my haste, I have not considered how your code would handle
this, but it might be good to check.
| [reply] |
| [reply] |