[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-tar] Anti-tarbomb feature --new-dir
From: |
Martin von Gagern |
Subject: |
[Bug-tar] Anti-tarbomb feature --new-dir |
Date: |
Mon, 18 Jul 2011 11:40:59 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110707 Thunderbird/5.0 |
Hi!
I find myself often doing things like "tar tf" followed by "tar xf",
where the tf is only to ensure that the tar does contain a single
subdirectory. Computers could do this check much more quickly, so I'd
like to request an option for it.
I suggest a long name like "--new-dir", and whatever short name you
might find suitable for it, perhaps "-N" or "-B".
The option would ensure that the tarball
1. does create a single new directory
2. places all files inside that directory
I understand that tar operates on a stream and it would be infeasible to
inspect the whole archive before writing the files. So in more detail,
the operation should probably work like this (pseudocode):
dirName = NULL;
for (all entries) {
if (entry describes ".") // can this ever happen?
continue;
if (entry starts in "/" or uses "../" references)
die("tarbomb: bad path %s", entry path)
firstDir = first arc of entry path;
if (file directly inside base directory)
die ("tarbomb: file not inside any dir");
if (dirName == NULL) {
dirName = firstDir;
if (directory dirName exists)
die ("tarbomb: directory %s already exists", dirName);
create directory dirName;
}
else if (dirName != firstDir) {
recursively delete directory dirName;
die ("tarbomb: creates multiple directories");
}
unpack entry as usual;
}
if (dirName != NULL and --print-new-dir specified)
printf ("%s\n", dirName);
This would use the first entry as a specification of the directory to
create. Any later violation of the expected behaviour would cause tar to
clean up before exiting with an error message.
I also think printing the name of the newly created directory might be
useful under some circumstances, so I added an option for that as well.
What do you think? Has this been discussed before? Do you want a patch
for this? I'd be happy to write one, but employer disclaimer might be a
problem.
Please reply also by personal mail, as I don't follow this list.
Greetings,
Martin von Gagern
signature.asc
Description: OpenPGP digital signature
- [Bug-tar] Anti-tarbomb feature --new-dir,
Martin von Gagern <=