x/busybox
1
0
Fork 0
mirror of https://git.busybox.net/busybox synced 2026-02-22 10:12:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
busybox/archival
History
Denys Vlasenko 3fb6b31c71 tar: strip unsafe hardlink components - GNU tar does the same 
Defends against files like these (python reproducer):

import tarfile
ti = tarfile.TarInfo("leak_hosts")
ti.type = tarfile.LNKTYPE
ti.linkname = "/etc/hosts"  # or "../etc/hosts" or ".."
ti.size = 0
with tarfile.open("/tmp/hardlink.tar", "w") as t:
	t.addfile(ti)

function                                             old     new   delta
skip_unsafe_prefix                                     -     127    +127
get_header_tar                                      1752    1754      +2
.rodata                                           106861  106856      -5
unzip_main                                          2715    2706      -9
strip_unsafe_prefix                                  102      18     -84
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98)            Total: 31 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2026-01-29 12:01:56 +01:00
..
libarchive tar: strip unsafe hardlink components - GNU tar does the same 2026-01-29 12:01:56 +01:00
ar.c libbb: eliminate a static data array in bb_mode_string() 2021-09-17 01:18:31 +02:00
bbunzip.c libbb/archival: make setup_unzip_on_fd() return bytes read if not compressed 2025-04-20 23:49:33 +02:00
bbunzip_test.sh
bbunzip_test2.sh
bbunzip_test3.sh
bzip2.c *: --help tweaks 2021-06-14 20:47:20 +02:00
chksum_and_xwrite_tar_header.c tar,smemcap: silence compiler warning 2021-08-22 15:44:57 +02:00
Config.src archival: disallow path traversals (CVE-2023-39810) 2025-04-16 03:03:17 +02:00
cpio.c cpio: map -F to --file long option 2025-07-02 00:07:18 +02:00
dpkg.c *: style fix 2022-08-30 16:41:17 +02:00
dpkg_deb.c Update applet size estimates 2023-07-10 17:25:21 +02:00
gzip.c awk: use more understandable form of "split-globals" trick 2026-01-24 05:43:45 +01:00
Kbuild.src cpio: implement -R/--owner 2015-10-16 17:24:46 +02:00
lzop.c Update applet size estimates 2023-07-10 17:25:21 +02:00
rpm.c rpm2cpio: extract cpio even if compression is not known 2025-04-20 23:59:38 +02:00
rpm.h *: make GNU licensing statement forms more regular 2010-08-16 20:14:46 +02:00
tar.c tar: strip unsafe hardlink components - GNU tar does the same 2026-01-29 12:01:56 +01:00
tar_symlink_attack tar: postpone creation of symlinks with "suspicious" targets. Closes 8411 2017-07-24 17:20:13 +02:00
unzip.c tar: strip unsafe hardlink components - GNU tar does the same 2026-01-29 12:01:56 +01:00