From d_werner at gmx.net Wed Oct 21 13:05:10 2020 From: d_werner at gmx.net (dieter) Date: Wed, 21 Oct 2020 15:05:10 +0200 Subject: extfs changes with mc 4.8.25 regarding '.' '..' in filenames list Message-ID: <20201021150510.33635bb6@zenon> Hi, due to limitations of the tar support built-in in mc (as tracked in tickets #2201 und #1952) I am using an extfs module to access tar archives - the one from openSUSE mentioned in ticket #2201. I noticed that it "stopped working" with mc 4.8.25 which has landed in openSUSE Tumbleweed: entering a tar archive which contains files no files are listed anymore in the panel. After some debugging I found the cause: This "untar" module adds "./" at the beginning of the extracted filenames in order to handle filenames beginning with a blank. Removing this "./" it works again, except for filenames which start with a blank - they are listed in the panel but can not be opened or extracted because tar can not find them in the archive without the missing blank. I found that in some other extfs modules (for deb and urar) in mc 4.2.25 also the "./" was removed and I found commit https://github.com/MidnightCommander/mc/commit/e1a1990055017aac1f1c906df980f3a28683efd4 that . and .. may no longer appear in listed file names. I am happy that according to ticket #1952 native support for full featured tar files will come back into mc, but I wonder in general how extfs modules are now supposed to handle files contained in archives beginning blanks? Is there some other marker supported for such cases? Regards, Dieter From petr.spacek at nic.cz Wed Oct 21 13:48:44 2020 From: petr.spacek at nic.cz (=?UTF-8?B?UGV0ciDFoHBhxI1law==?=) Date: Wed, 21 Oct 2020 15:48:44 +0200 Subject: how to report security bugs? Message-ID: Hello, what is the recommended way to report security bugs? I have an archive which reproducibly crashes MC even though the archive itself is fine (passes integrity check and can be decompressed without causing problems in decompressor). I don't know if the bug is exploitable or not so I'm looking for a proper channel. Thank you. -- Petr ?pa?ek @ CZ.NIC From aborodin at vmail.ru Wed Oct 21 14:36:45 2020 From: aborodin at vmail.ru (Andrew Borodin) Date: Wed, 21 Oct 2020 17:36:45 +0300 Subject: how to report security bugs? In-Reply-To: References: Message-ID: On Wed, 21 Oct 2020 15:48:44 +0200 Petr ?pa?ek via mc-devel wrote: > what is the recommended way to report security bugs? https://midnight-commander.org/wiki/NewTicket Registration is required. -- Andrew From aborodin at vmail.ru Wed Oct 21 15:39:36 2020 From: aborodin at vmail.ru (Andrew Borodin) Date: Wed, 21 Oct 2020 18:39:36 +0300 Subject: extfs changes with mc 4.8.25 regarding '.' '..' in filenames list In-Reply-To: <20201021150510.33635bb6@zenon> References: <20201021150510.33635bb6@zenon> Message-ID: On Wed, 21 Oct 2020 15:05:10 +0200 dieter via mc-devel wrote: > This "untar" module adds "./" at the beginning of the extracted > filenames in order to handle filenames beginning with a blank. > > Removing this "./" it works again, except for filenames which start > with a blank - they are listed in the panel but can not be opened or > extracted because tar can not find them in the archive without the > missing blank. Seems this bug and https://midnight-commander.org/ticket/4077 have the same root. > I found that in some other extfs modules (for deb and urar) in mc 4.2.25 > also the "./" was removed I'll try to get extfs working again with leading ./ in the file names. -- Andrew From d_werner at gmx.net Wed Oct 21 17:43:43 2020 From: d_werner at gmx.net (dieter) Date: Wed, 21 Oct 2020 19:43:43 +0200 Subject: extfs changes with mc 4.8.25 regarding '.' '..' in filenames list In-Reply-To: References: <20201021150510.33635bb6@zenon> Message-ID: <20201021194343.6b46bd6b@zenon> On Wed, 21 Oct 2020 18:39:36 +0300 Andrew Borodin wrote: > On Wed, 21 Oct 2020 15:05:10 +0200 dieter via mc-devel > wrote: > > This "untar" module adds "./" at the beginning of the extracted > > filenames in order to handle filenames beginning with a blank. > > > > Removing this "./" it works again, except for filenames which start > > with a blank - they are listed in the panel but can not be opened or > > extracted because tar can not find them in the archive without the > > missing blank. > > Seems this bug and https://midnight-commander.org/ticket/4077 have > the same root. a filename beginning with "-" is worse than a blank... > > I found that in some other extfs modules (for deb and urar) in mc > > 4.2.25 also the "./" was removed > > I'll try to get extfs working again with leading ./ in the file names. > great, thanks a lot! Regards, Dieter