|
From: | Lassi Kortela |
Subject: | chicken-doc instructions recommend extracting tar file as root |
Date: | Sat, 8 May 2021 22:49:23 +0300 |
User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 |
curl https://3e8.org/pub/chicken-doc/chicken-doc-repo-5.tgz | sudo tar zxin a directory that's often located within /usr. This is not ideal from a security perspective, especially given that that the remote file changes daily so some users can be expected to repeat the command lots of times.
An immediate safeguard is to edit the wiki page to add the verbose flag to the suggested tar command, causing it to show the pathnames of all the files it extracts.
For a proper fix, could chicken-doc be modified to download the tar file, sanity-check its contents, and unpack it safely into the user's home directory instead?
Alternatively, if the documentation is shipped in some kind of file format with an index for fast lookup, it doesn't need to be extracted into multiple files at all. There are reasonably simple databases like CDB and Berkeley DB for jobs like this.
-l
[Prev in Thread] | Current Thread | [Next in Thread] |