On 13/08/13 08:56 PM, Paul Eggert wrote: > Connor Behan wrote: >> This could be handled without adding a new option >> if -k became "don't replace existing files or create more than one file >> at the top level when extracting, treat them as errors". So -k would >> become a broader kind of "play it safe while extracting" option. > We probably can't change -k that drastically, but it would > be OK to add an option that says "allow at most one top-level > name", which could be combined with -k. Sounds good. AFAIK, the most promising way to avoid tarbombs so far is a script called untar.py <https://github.com/mjkelly/experiments/blob/master/untar.py> but it would be annoying to get into the habit of typing a completely different command for extracting. If tar quit and said "this is a tarbomb, you will have to use untar.py this one time" I'd be more happy. I will submit a patch that does this, as well as a v3 of my bigger patch.
signature.asc
Description: OpenPGP digital signature
