Skip to content

Fix tar option-injection in mk-image-mr helper#61

Merged
h4x3rotab merged 1 commit into
mainfrom
codex/propose-fix-for-tar-option-injection-vulnerability
May 8, 2026
Merged

Fix tar option-injection in mk-image-mr helper#61
h4x3rotab merged 1 commit into
mainfrom
codex/propose-fix-for-tar-option-injection-vulnerability

Conversation

@h4x3rotab

Copy link
Copy Markdown
Contributor

Motivation

  • Prevent tar option-injection when re-archiving flattened files from potentially untrusted downloaded or local archives, which could allow attacker-controlled filenames beginning with - to be interpreted as tar options and lead to command execution.

Description

  • Add the end-of-options marker to the final tar invocation in scripts/bin/mk-image-mr.sh by changing tar -czf "../$OUTPUT_FILE" * to tar -czf "../$OUTPUT_FILE" -- * so dash-prefixed filenames are treated as data.

Testing

  • Ran bash -n scripts/bin/mk-image-mr.sh for a syntax check and it succeeded.

Codex Task

@h4x3rotab h4x3rotab merged commit faa8e53 into main May 8, 2026
3 checks passed
@h4x3rotab h4x3rotab deleted the codex/propose-fix-for-tar-option-injection-vulnerability branch May 8, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant