Invalid tar magic when streaming download
Kang-Che Sung
explorer09 at gmail.com
Fri Dec 6 00:47:08 UTC 2019
On Friday, December 6, 2019, Eli Schwartz <eschwartz at archlinux.org> wrote:
> libarchive bsdtar works, which I guess means that libarchive permits you
> to wrap a tarball in *two* layers of gzip compression, then extract the
> contents. Personally, I would claim this is a buggy design goal, because
> you'd have to be nuts to create tarballs with multiple layers of
> recursive compression.
>
I think it's also good to mention that allowing extraction of multiple
layers of compression could lead to a security risk (DoS) for tar.
There are specifically crafted gzip archives on the Internet meant to crash
(or stress) antivirus scanners with multiple layers of compression. And
there is also a thing called "gzip quine". I think it's a right choice for
tar to reject it at first. If users wants decompressing multiple layers,
they can do it with a shell script loop.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20191206/31dee513/attachment.html>
More information about the busybox
mailing list