[tnozaki-libarchive] Leave pre-existing symlinks alone on extraction

Issue #265 wontfix
Takehiko NOZAKI repo owner created an issue

from https://github.com/libarchive/libarchive/pull/1300

When libarchive encounters an existing symbolic link during extraction
it removes that symbolic link first before overwriting it, unless
it is told that it can trust symlinks from the archive.

Placing symbolic links on known paths in the extracting subdirectory
is a simple way that a system administrator can place data at a
different location without having the overhead of a mountpoint.

Trusting symlinks from an archive is never safe because they can
maliciously overwrite files outside of the extraction directory.

This patch adds a linked-list to track of the symbolic links that
were created during extraction so that it does not trust them. This
way during extraction, libarchive can remove the symlinks it created,
but leave the pre-existing ones alone.

Comments (1)

  1. Takehiko NOZAKI reporter

    merge discussion is suspended by some kraut's objection and poor test case fixes. take my time until upstream's decision

  2. Log in to comment