Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/tar: Writer permits "/" FileHeader rejected by Reader #9647

Closed
bradfitz opened this issue Jan 20, 2015 · 3 comments
Closed

archive/tar: Writer permits "/" FileHeader rejected by Reader #9647

bradfitz opened this issue Jan 20, 2015 · 3 comments
Labels
FrozenDueToAge
Milestone
Unplanned

Comments

@bradfitz
Copy link
Contributor

The archive/tar Writer permits adding a "/" FileHeader which is then rejected by the Reader in the same package. (and the Linux tar warns about it)

We should probably reject that name and other bogus names in WriteHeader.
@bradfitz bradfitz added this to the Go1.5 milestone Jan 20, 2015
@rsc
Copy link
Contributor

rsc commented Jun 29, 2015

Too late for Go 1.5.

@rsc rsc modified the milestones: Unplanned, Go1.5 Jun 29, 2015
@dsnet
Copy link
Member

dsnet commented Sep 10, 2015

As of Go1.5, I don't see any logic in the Reader that explicitly forbids "/" path. In fact, it seems that the Reader does properly read back "/". See playground

The "standards" doesn't explicitly reject "/". Personally, I think that tar should not forbid any paths. If "/" is rejected, should we also reject ""? What about absolute paths? As it is, any proper user of tar should be sanitizing the paths read out anyways.

Furthermore, I can imagine a possible use case of "/" where it is encoded into an archive to preserve uid, gid, or something similar.

@dsnet dsnet mentioned this issue Sep 16, 2015
Closed
@dsnet dsnet assigned dsnet and unassigned dsymonds May 9, 2016
@dsnet
Copy link
Member

dsnet commented Oct 14, 2016

Closing this. Although discouraged (and the tar utilities will warn), it is possible to have a folder named "/" and to have owner and permission bits set in the tar file and expect the tar utility to set the root directory to those values. I don't think we should forbid that behavior.

@dsnet dsnet closed this as completed Oct 14, 2016
@golang golang locked and limited conversation to collaborators Oct 14, 2017
@rsc rsc unassigned dsnet Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@bradfitz @dsymonds @rsc @dsnet @gopherbot