[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: zipbomb handling should not be done in url-fetch/zipbomb
|
From: |
Ludovic Courtès |
|
Subject: |
Re: zipbomb handling should not be done in url-fetch/zipbomb |
|
Date: |
Wed, 21 Jun 2017 12:45:10 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Arun Isaac <address@hidden> skribis:
>>> * Proposal
>>>
>>> zip bomb (zip archives without a top level directory) handling should
>>> not be done in `url-fetch/zipbomb'. It should be implemented as a
>>> boolean argument to the `unpack' phase.
>>
>> I guess the Boolean argument would determine whether to do (chdir
>> (first-subdirectory ".")), right?
>>
>> Unfortunately that’s not enough for the cases where an origin has
>> patches or a snippet, because that code also assumes there’s only one
>> subdirectory (see ‘patch-and-repack’ in (guix packages)).
>
> Ah, I didn't think of that.
>
>> Perhaps the right fix would be to fix ‘patch-and-repack’ somehow.
>
> Unfortunately, I don't know what that fix would look like. :-( Perhaps
> `patch-and-repack' should somehow autodetect whether the archive is a
> bomb or not. Do you think that is a good solution? It sounds
> overcomplicated to me.
Yeah, I don’t really know either. It could certainly detect that
unpacking created more than one file, and maybe it could automatically
create a directory and move everything there.
It’s a bit complicated for the occasional tarbomb, indeed…
> Or, we can just let this matter rest as it is not too important.
Maybe!
Thanks,
Ludo’.