[Stable 7] CPIO breakage/
seanbru at yahoo-inc.com
Fri Jun 18 17:51:51 UTC 2010
On Thu, 2010-06-17 at 15:13 -0700, Xin LI wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 2010/06/17 13:53, Peter Jeremy wrote:
> > On 2010-Jun-15 17:22:50 -0700, Xin LI <delphij at delphij.net> wrote:
> >> On 2010/06/15 17:05, Sean Bruno wrote:
> >>> A little more background. It looks like symlinks are getting stripped
> >>> of their '/' which sucks. Ideas?
> > ...
> >>> e.g. /home/foo/bar -> /opt/baz/blob
> >>> becomes
> >>> home/foo/bar -> opt/baz/blob
> >>> Yuck.
> >> This is a security measurement I think.
> > Can someone please explain how stripping a leading '/' off the
> > destination of a symlink enhances security? The destination is
> > not being written to.
> >> --absolute-filenames disables this behavior.
> > This definitely reduces security and would seem to be far more
> > dangerous than being able to create symlinks to absolute pathnames.
> Sorry I have misunderstood the original issue. It's the link target
> being mangled and doesn't seem right to me. I'll ask the author about this.
> The attached patch should restore the old behavior.
> - --
> Xin LI <delphij at delphij.net> http://www.delphij.net/
> FreeBSD - The Power to Serve! Live free or die
Yep, *this* patches seems to make things much happier. I'll integrate
cpio 2.8 back into the Yahoo tree when this is merged in.
Thanks for your patience and work on -stable.
More information about the freebsd-stable