Re: [Bug-tar] [PATCH v2] Intelligent subdirectory creation to guard against tarbombs

[Eric Blake]

On 08/12/2013 02:13 PM, Connor Behan wrote:
> Warnings and workarounds concering tarbombs (archives not storing their
> contents within a single directory) have pervaded the free software
> community for years. However, GNU tar still does not have an option to
> deal with them. This implements a request made on the official website
> in 2007. During extraction the new option conditionally creates a
> directory derived from the basename of the archive, falling back to the
> usual method if the directory already exists.
> 
> Signed-off-by: Connor Behan <address@hidden>
> ---
>  doc/tar.texi  | 12 +++++++++
>  src/common.h  |  3 +++
>  src/extract.c | 84 
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  src/tar.c     | 11 ++++++++
>  4 files changed, 110 insertions(+)
> 
> diff --git a/doc/tar.texi b/doc/tar.texi
> index 2661174..365f7b3 100644
> --- a/doc/tar.texi
> +++ b/doc/tar.texi
> @@ -2795,6 +2795,18 @@ at the end of each tape.  If it exits with nonzero 
> status,
>  @command{tar} fails immediately.  @xref{info-script}, for a detailed
>  discussion of this feature.
>  
> address@hidden
> address@hidden --intelligent-subdir
> +
> +Tells @command{tar} to extract files into a newly created directory if an
> +extraction would otherwise place more than one file in the archive's
> +parent directory. This guards against so-called tarbombs. The name of the
> +new directory is a substring of the basename of the file from the
> +beginning up to and not including the last occurrence of @samp{.tar}. For
> +example, @file{foo.tar} and @file{foo.tar.gz} would be extracted into
> address@hidden while @file{foo.tar.tar} would be extracted into
> address@hidden

What if my tar file was named foo.tgz?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature