Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/tar: WriterHeader succeeds for bad headers #15567

Closed
dsnet opened this issue May 6, 2016 · 1 comment
Closed

archive/tar: WriterHeader succeeds for bad headers #15567

dsnet opened this issue May 6, 2016 · 1 comment
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.10

Comments

@dsnet
Copy link
Member

dsnet commented May 6, 2016
edited

Using go1.6

Some combination of fields tar.Header are simply impossible to encode for any format. Some example situations that we currently "succeed" in, but should really error on:

  • Example: String fields can incorrectly have the NUL character in them. This is not allowed since the tar format uses C-strings.
  • Example: PAX attribute keys incorrectly allow the '=' character. This is not allowed since PAX uses the 'length keyword=value' format to encode attributes.
  • Example: Encoding of overflow integers causes the NUL terminator to disappear. In this situation, we should upgrade to using the base256 format, rather overflowing the base8 format.
  • Example: Encoding of negative integers is incorrectly allowed in octal format. The GNU format seems to handle negative numbers, but only in the base256 format, not base8.
@dsnet dsnet changed the title archive/tar: WriterHeader succeeds for impossible headers archive/tar: WriterHeader succeeds for bad headers May 6, 2016
@dsnet dsnet self-assigned this May 9, 2016
@dsnet dsnet added this to the Unplanned milestone May 9, 2016
@bradfitz bradfitz modified the milestones: Go1.8, Unplanned May 9, 2016
@rsc rsc added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 29, 2016
@rsc rsc modified the milestones: Go1.8Maybe, Go1.8 Sep 29, 2016
@dsnet dsnet modified the milestones: Go1.9, Go1.8Maybe Oct 14, 2016
@dsnet dsnet modified the milestones: Go1.10, Go1.9 May 22, 2017
@gopherbot
Copy link

Change https://golang.org/cl/55571 mentions this issue: archive/tar: reject bad key-value pairs for PAX records

@golang golang locked and limited conversation to collaborators Aug 15, 2018
@rsc rsc unassigned dsnet Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.10
Development

No branches or pull requests
4 participants
@bradfitz @rsc @dsnet @gopherbot