tar: strip unsafe hardlink components - GNU tar does the same - busybox-w32 - A mirror of https://github.com/rmyorston/busybox-w32.git

diff options

author	Denys Vlasenko <vda.linux@googlemail.com>	2026-01-29 11:48:02 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2026-01-29 12:01:56 +0100
commit	3fb6b31c716669e12f75a2accd31bb7685b1a1cb (patch)
tree	2edc78a4850efbfc08719b20fa930771c84d6dbc /scripts/basic/split-include.c
parent	768ab5384ced12cb263fcfc7fba23cebf705c15f (diff)
download	busybox-w32-3fb6b31c716669e12f75a2accd31bb7685b1a1cb.tar.gz busybox-w32-3fb6b31c716669e12f75a2accd31bb7685b1a1cb.tar.bz2 busybox-w32-3fb6b31c716669e12f75a2accd31bb7685b1a1cb.zip

tar: strip unsafe hardlink components - GNU tar does the same

Defends against files like these (python reproducer): import tarfile ti = tarfile.TarInfo("leak_hosts") ti.type = tarfile.LNKTYPE ti.linkname = "/etc/hosts" # or "../etc/hosts" or ".." ti.size = 0 with tarfile.open("/tmp/hardlink.tar", "w") as t: t.addfile(ti) function old new delta skip_unsafe_prefix - 127 +127 get_header_tar 1752 1754 +2 .rodata 106861 106856 -5 unzip_main 2715 2706 -9 strip_unsafe_prefix 102 18 -84 ------------------------------------------------------------------------------ (add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98) Total: 31 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

Diffstat (limited to 'scripts/basic/split-include.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: