On 08/12/2013 02:13 PM, Connor Behan wrote: > Warnings and workarounds concering tarbombs (archives not storing their > contents within a single directory) have pervaded the free software > community for years. However, GNU tar still does not have an option to > deal with them. This implements a request made on the official website > in 2007. During extraction the new option conditionally creates a > directory derived from the basename of the archive, falling back to the > usual method if the directory already exists. > > Signed-off-by: Connor Behan <connor.be...@gmail.com> > --- > doc/tar.texi | 12 +++++++++ > src/common.h | 3 +++ > src/extract.c | 84 > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > src/tar.c | 11 ++++++++ > 4 files changed, 110 insertions(+) > > diff --git a/doc/tar.texi b/doc/tar.texi > index 2661174..365f7b3 100644 > --- a/doc/tar.texi > +++ b/doc/tar.texi > @@ -2795,6 +2795,18 @@ at the end of each tape. If it exits with nonzero > status, > @command{tar} fails immediately. @xref{info-script}, for a detailed > discussion of this feature. > > +@opsummary{intelligent-subdir} > +@item --intelligent-subdir > + > +Tells @command{tar} to extract files into a newly created directory if an > +extraction would otherwise place more than one file in the archive's > +parent directory. This guards against so-called tarbombs. The name of the > +new directory is a substring of the basename of the file from the > +beginning up to and not including the last occurrence of @samp{.tar}. For > +example, @file{foo.tar} and @file{foo.tar.gz} would be extracted into > +@file{foo} while @file{foo.tar.tar} would be extracted into > +@file{foo.tar}.
What if my tar file was named foo.tgz? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature