Comment on 700+ self-hosted Git instances battered in 0-day attacks
JackbyDev@programming.dev 3 days agoI think the ZIP standard has something similar and it causes similar problems.
Comment on 700+ self-hosted Git instances battered in 0-day attacks
JackbyDev@programming.dev 3 days agoI think the ZIP standard has something similar and it causes similar problems.
PlexSheep@infosec.pub 2 days ago
It’s because of the old notion of “be generous in what you accept and strict in what you send”. I think the error is something about adding more parent directories so that part of your zip file will be extracted above the selected directory. Not all implementations of zip support this “feature”.
There are also all kinds of stupid ancient features in tar and zip from a time when hard drives were measured in megabytes or less. The latest episode of the open source security podcast talks about it.
Jason2357@lemmy.ca 2 days ago
We also have COW filesystems now. If you need large datasets in different places, used by different projects, etc, just copy them and use BTRFS or ZFS or whatever. It wont take any space and be safer. Git also has multiple ways of connecting external data artifacts. Git should by default reject symlinks.
PlexSheep@infosec.pub 2 days ago
This is sadly not easily generalizable, since a lot of people still use legacy operating systems with filesystems like NTFS, which as far as I know is not COW.