[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-tar] [PATCH v2] Intelligent subdirectory creation to guard agai
From: |
Eric Blake |
Subject: |
Re: [Bug-tar] [PATCH v2] Intelligent subdirectory creation to guard against tarbombs |
Date: |
Mon, 12 Aug 2013 14:22:45 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 |
On 08/12/2013 02:13 PM, Connor Behan wrote:
> Warnings and workarounds concering tarbombs (archives not storing their
> contents within a single directory) have pervaded the free software
> community for years. However, GNU tar still does not have an option to
> deal with them. This implements a request made on the official website
> in 2007. During extraction the new option conditionally creates a
> directory derived from the basename of the archive, falling back to the
> usual method if the directory already exists.
>
> Signed-off-by: Connor Behan <address@hidden>
> ---
> doc/tar.texi | 12 +++++++++
> src/common.h | 3 +++
> src/extract.c | 84
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> src/tar.c | 11 ++++++++
> 4 files changed, 110 insertions(+)
>
> diff --git a/doc/tar.texi b/doc/tar.texi
> index 2661174..365f7b3 100644
> --- a/doc/tar.texi
> +++ b/doc/tar.texi
> @@ -2795,6 +2795,18 @@ at the end of each tape. If it exits with nonzero
> status,
> @command{tar} fails immediately. @xref{info-script}, for a detailed
> discussion of this feature.
>
> address@hidden
> address@hidden --intelligent-subdir
> +
> +Tells @command{tar} to extract files into a newly created directory if an
> +extraction would otherwise place more than one file in the archive's
> +parent directory. This guards against so-called tarbombs. The name of the
> +new directory is a substring of the basename of the file from the
> +beginning up to and not including the last occurrence of @samp{.tar}. For
> +example, @file{foo.tar} and @file{foo.tar.gz} would be extracted into
> address@hidden while @file{foo.tar.tar} would be extracted into
> address@hidden
What if my tar file was named foo.tgz?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature