busybox

x/busybox

mirror of https://git.busybox.net/busybox synced 2026-02-15 22:16:09 +00:00

History

Denys Vlasenko 3fb6b31c71 tar: strip unsafe hardlink components - GNU tar does the same Defends against files like these (python reproducer): import tarfile ti = tarfile.TarInfo("leak_hosts") ti.type = tarfile.LNKTYPE ti.linkname = "/etc/hosts" # or "../etc/hosts" or ".." ti.size = 0 with tarfile.open("/tmp/hardlink.tar", "w") as t: t.addfile(ti) function old new delta skip_unsafe_prefix - 127 +127 get_header_tar 1752 1754 +2 .rodata 106861 106856 -5 unzip_main 2715 2706 -9 strip_unsafe_prefix 102 18 -84 ------------------------------------------------------------------------------ (add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98) Total: 31 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>		2026-01-29 12:01:56 +01:00
..
.gitignore
applet_metadata.h
applets.h.sh
applets.src.h
ar_.h	archival: avoid std namespace for local includes	2020-11-16 13:24:24 +01:00
bb_archive.h	tar: strip unsafe hardlink components - GNU tar does the same	2026-01-29 12:01:56 +01:00
bb_e2fs_defs.h	lsattr: support more ext2 flags	2021-06-20 12:34:05 +02:00
busybox.h
dump.h	libbb/dump: make xxd_displayoff member conditional on xxd	2023-05-27 14:52:17 +02:00
fix_u32.h
grp_.h
inet_common.h
libbb.h	httpd: code shrink via "split-globals" trick	2026-01-24 05:22:33 +01:00
liblzo_interface.h
platform.h	httpd: simplify CGI headers handling, check "HTTP/1.1" prefix, not just "HTTP"	2026-01-23 10:14:04 +01:00
pwd_.h
rtc_.h	hwclock: add get/set parameters option	2023-07-12 16:27:49 +02:00
shadow_.h
unicode.h
usage.src.h	password applets: update help text	2025-07-18 07:28:32 +02:00
volume_id.h
xatonum.h
xregex.h