Giter VIP home page Giter VIP logo

Comments (2)

TomSweeneyRedHat avatar TomSweeneyRedHat commented on August 19, 2024

@vrothberg FYI

from filepath-securejoin.

cyphar avatar cyphar commented on August 19, 2024

I'll post a response both there and here -- the reasoning is that SecureJoin (which is soon going to be out-dated by libpathrs's path handling which is race-free) is effectively acting like a chroot. Thus /.. always becomes /.

This is necessary because there are lots of examples of malformed symlinks which only work because of this behaviour. If we made /.. cause an error, those symlinks wouldn't work -- and it's also unclear whether absolute symlinks should also trigger the error (in the podman build example, the symlink will be resolved differently to the host -- and this may be confusing to some users -- but on the other hand we absolutely need to allow absolute symlinks to work because many distributions use absolute symlinks all over the place).

We could work around this by making SecureJoin return an additional argument that says "you tried to cross the root" but I'm not really a huge fan of that idea -- aside from the fact that SecureJoin is going to be archived soon (once we switch enough people to libpathrs), it's also a bit of a weird thing for a caller to care about (though I do get why you'd want something like that).

I hasten to point out that docker build has the exact same semantics.

from filepath-securejoin.

Related Issues (5)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.