[aur-general] AUR no more extracting source tarballs ( was: Upgraded AUR to 1.8.0)

Dieter Plaetinck dieter at plaetinck.be
Mon Feb 21 10:42:49 EST 2011


On Mon, 21 Feb 2011 16:35:33 +0100
Lukas Fleischer <archlinux at cryptocrack.de> wrote:

> On Mon, Feb 21, 2011 at 03:46:47PM +0100, Dieter Plaetinck wrote:
> > On Mon, 21 Feb 2011 14:50:39 +0100
> > Lukas Fleischer <archlinux at cryptocrack.de> wrote:
> > 
> > 
> > > The only issue that might affect the end users as well is "ZIP
> > > bombs". Most users will probably notice such a thing before it is
> > > entirely extracted, just interrupt tar(1)/gzip(1) and send a
> > > removal request to aur-general, however.
> > 
> > hmmm. some good points.
> > I guess I could try the suggested approach and see how I like it.
> > However, now that you bring up the "zip bombs", do you think it's
> > feasible to scan for them serverside without compromising security
> > and/or making things needlessly complicated? it would be useful for
> > clients if that one aspect could be filtered out in advance.
> 
> I don't think this is possible without decompressing the tarball which
> is again vulnerable to (D)DoS.

hmm maybe we mean different things.
you are talking about exhausting ram/cpu/time, right?
http://en.wikipedia.org/wiki/Zip_bomb
In that case, sure, just leave it to the client. the problem is trivial
enough.

I was talking about bad filenames
(like ../../foo, /foo, /root/foobar, /tmpl/blah, and whatever else is
posible)
that might be prevented with `tar -t`

Dieter


More information about the aur-general mailing list