GNU bug report logs - #47058
28.0.50; Dired Z: insert-directory: Reading directory: No such file or directory, CrossLine_linux_x86

Previous Next

Full log

Message #57 received at 47058 <at> debbugs.gnu.org (full text, mbox):

From: Gregory Heytings <gregory <at> heytings.org>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: "Michalis V." <mvar.40k <at> gmail.com>, Eli Zaretskii <eliz <at> gnu.org>,
 mcenturion <at> fing.edu.uy, arthur.miller <at> live.com, 47058 <at> debbugs.gnu.org
Subject: Re: bug#47058: 28.0.50; Dired Z: insert-directory: Reading directory:
 No such file or directory, CrossLine_linux_x86
Date: Tue, 21 Sep 2021 18:38:52 +0000

>> That's a separate issue.  And I don't see how is it a security issue 
>> for Emacs, when unpacking an archive manually with 'tar' etc. would 
>> produce the same results.  If the user wants to overwrite his/her 
>> sensitive files, we should let them do it, in the same way as other 
>> utilities do.  But that's MO, and it is a separate concern anyway.
>
> It's an Emacs security issue because we make it so easy to unpack these 
> tar files.  We should ideally inspect the file first and see whether 
> it's an adversarial tar file first, and then prompt the user for what to 
> do.
>

Would it not be easier to unconditionally untar the contents in a 
temporary directory, and to either move its contents to the current 
directory if it contains only one entry, or to rename it to a directory 
based on the tar file name when it contains more than one entry? 
Something like:

TMP=$(mktemp -d ./XXXXXXXX)
tar -C $TMP -x -z -f $FILE
if (($(ls $TMP | wc -l) == 1))
then
  mv $TMP/* .
  rmdir $TMP
else
  mv $TMP $(basename $FILE .tar.gz)
fi

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.