On 08/12/2013 02:13 PM, Connor Behan wrote:
> Warnings and workarounds concering tarbombs (archives not storing their
> contents within a single directory) have pervaded the free software
> community for years. However, GNU tar still does not have an option to
> deal with them. This implements a request made on the official website
> in 2007. During extraction the new option conditionally creates a
> directory derived from the basename of the archive, falling back to the
> usual method if the directory already exists.
>
> Signed-off-by: Connor Behan <connor.be...@gmail.com>
> ---
> doc/tar.texi | 12 +++++++++
> src/common.h | 3 +++
> src/extract.c | 84
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> src/tar.c | 11 ++++++++
> 4 files changed, 110 insertions(+)
>
> diff --git a/doc/tar.texi b/doc/tar.texi
> index 2661174..365f7b3 100644
> --- a/doc/tar.texi
> +++ b/doc/tar.texi
> @@ -2795,6 +2795,18 @@ at the end of each tape. If it exits with nonzero
> status,
> @command{tar} fails immediately. @xref{info-script}, for a detailed
> discussion of this feature.
>
> +@opsummary{intelligent-subdir}
> +@item --intelligent-subdir
> +
> +Tells @command{tar} to extract files into a newly created directory if an
> +extraction would otherwise place more than one file in the archive's
> +parent directory. This guards against so-called tarbombs. The name of the
> +new directory is a substring of the basename of the file from the
> +beginning up to and not including the last occurrence of @samp{.tar}. For
> +example, @file{foo.tar} and @file{foo.tar.gz} would be extracted into
> +@file{foo} while @file{foo.tar.tar} would be extracted into
> +@file{foo.tar}.What if my tar file was named foo.tgz? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
