2 issues with tar

Alexander Shishkin virtuoso at slind.org
Wed Mar 2 02:35:47 UTC 2011


On Wed, Mar 02, 2011 at 12:58:58AM +0100, Denys Vlasenko wrote:
> On Tuesday 01 March 2011 21:14, Alexander Shishkin wrote:
> > On 1 March 2011 18:18, Denys Vlasenko <vda.linux at googlemail.com> wrote:
> > > On Monday 28 February 2011 09:23, Alexey Soloviev wrote:
> > >> Hello,
> > >> Met 2 problems with tar and wander if they are new or known.
> > >>
> > >> Issue 1: tar doesn't restore files or directories added with relative
> > >> name starting with "../"
> > >> Scenario:
> > >> busybox tar -c -f archive.tar ../tobearchived
> > >> busybox tar -xf archive.tar
> > >> tar: name with '..' encountered: '../tobearchived'
> > >>
> > >> Gnu tar removes ../ from paths of archived files and directories, while
> > >> busybox's tar doesn't.
> > >> Should it be fixed?
> > >> Note that archive created by busybox tar on the 1st step can be restored
> > >> by gnu tar but not by busybox's.
> > >
> > > Proposed patch.
> > 
> > This doesn't address the archive creation case, in which GNU tar would strip
> > the /../ just as well.
> 
> Doesn't look like it's worth fixing, since unpacking code mush be prepared
> to see malicious tarballs anyway.

Well, you can fix it at no additional cost by making the loop into a separate
function, which you call from writeFileToTarball() instead of stripping the
leading '/'. Bonus is that busybox tar and GNU tar will create similar looking
archives from similar input.

> > Otherwise it's pretty much the same as what I've come up 
> > with earlier today. :)
> 
> With your patch we have 20+ bytes growth in data:

No, the new one I have made before an urgent retreat to a pub earlier
today. And I only have it on my machine at work.

> function                                             old     new   delta
>    text    data     bss     dec     hex filename
>  871090     493    7584  879167   d6a3f busybox_old
>  871087     517    7584  879188   d6a54 busybox_unstripped

Regards,
--
Alex


More information about the busybox mailing list