[Bug-tar] Interpreting filenames as rsh hosts by default

[Hanno Böck]

Hi,

I recently was made aware of a behavior of GNU tar that I find very
surprising and also risky:
https://twitter.com/flameeyes/status/858757896858947585

It seems if you create a filename with a colon (":"), tar interprets
everything before it as a hostname for an rsh connection. Example:

$ touch 'a:b.tar'
$ tar xf a\:b.tar
tar: Cannot connect to a: resolve failed

This is definitely concerning for privacy reasons. It allows someone to
create a file and if a user tries to unpack it it will try to create a
network connection. (It doesn't seem to be possible however to use
DNS-valid names, because as soon as there's a dot in the string before
the colon it doesn't seem to interpret it any more. But there may be a
way to bypass this.)

I'm not sure if anyone uses this feature any more, as rsh is early 90s
technology. So it might be a good idea to just remove it. (That would
also kinda align with "unix philosophy" - one tool for one job.)
If it can't be removed for whatever reason please at least make it
non-default. (There's a parameter --force-local, that's probably the
behavior one wants by default.)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42