On Thu, Jul 12, 2007 at 04:49:35PM +0200, Stefan Reinauer wrote:
- mkdirp((const char *) dirname(path), 0755);
I don't think lar should mkdir -p implicitly.
Oh it does not do this implicitly. It only does it if the archive explicitly contains a directory.
It needs to be there, but I think the sanity checking could be good.
On Thu, Jul 12, 2007 at 04:52:12PM +0200, Stefan Reinauer wrote:
But I think a bit of sanity would be nice here since a lar could otherwise be used to overwrite arbitrary system files.
You compile LinuxBIOS as root?
No, but I may run lar as root because I need to tweak something right before running flashrom as root. Yes, bad practice. No, I'm not the only one.
I'll make a patch for mkdirp() that ensures the directory to be created is actually below the current directory
Rather check the path before mkdir()ing.
Exactly the idea.
I am pretty sure the mkdir efforts can easily be tricked by a couple of symlinks in the path,
realpath() handles that. To do full path resolution is not so simple though, so I cut some corners. It may be too much effort to be at all worthwhile and we'll instead let root shoot foot.
so I wonder how much use there is in trying to make this "secure" since it never runs as root anyways, and in a very controlled environment.
LB build mostly yes, lar not so sure.
//Peter