backdrop / backdrop-issues

Issue tracker for Backdrop core.
144 stars 38 forks source link

Drop support for .tar.gz files (remove Archive_tar from core) #4897

Open jenlampton opened 3 years ago

jenlampton commented 3 years ago

The archive_tar library is only used in one instance for Backdrop: the user interface that allows people to upload modules via installer module. (Installer module also allows browse/install from backdropcms.org, and that would not be affected).

This year we've had several security releases specifically to address vulnerabilities in archive_tar.

I would like to propose that we remove this from core, and thus only support the upload of .zip files.

This is likely something that would need to wait until 2.x, so labeling as such.

quicksketch commented 3 years ago

Just a note that currently all packages we publish to GitHub are only available as ZIP files. So all module installs and upgrades use ZIP currently.

I'm sure there are many differences between zip and tar.gz files, but one of the issues that make tar.gz files problematic is that they fully preserve filesystem characteristics such as symlinks and file permissions. Zip files discard that information and really only store the files. I think generally this makes it a "safer" archival format, although less flexible and capable.

jenlampton commented 3 years ago

I was thinking about this the other day and I think we can do it in 1.x by adding an admin setting to enable .tar.gx files, disabled for new sites. Maybe disabled for all sites?

klonos commented 3 years ago

Having it as an option, and keeping it disabled by default makes sense to me, especially since this functionality relies on a 3rd-party library. This will provide a mitigation mechanism, so when/if there are security updates for that 3rd-party library, we can be "downgrading" the severity, and apply the security fix at a pace that suits our capacity (instead of having to decide on whether to rush a security release, or delay).