get_header_tar.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463
  1. /* vi: set sw=4 ts=4: */
  2. /* Licensed under GPLv2 or later, see file LICENSE in this source tree.
  3. *
  4. * FIXME:
  5. * In privileged mode if uname and gname map to a uid and gid then use the
  6. * mapped value instead of the uid/gid values in tar header
  7. *
  8. * References:
  9. * GNU tar and star man pages,
  10. * Opengroup's ustar interchange format,
  11. * http://www.opengroup.org/onlinepubs/007904975/utilities/pax.html
  12. */
  13. #include "libbb.h"
  14. #include "bb_archive.h"
  15. typedef uint32_t aliased_uint32_t FIX_ALIASING;
  16. typedef off_t aliased_off_t FIX_ALIASING;
  17. /* NB: _DESTROYS_ str[len] character! */
  18. static unsigned long long getOctal(char *str, int len)
  19. {
  20. unsigned long long v;
  21. char *end;
  22. /* NB: leading spaces are allowed. Using strtoull to handle that.
  23. * The downside is that we accept e.g. "-123" too :(
  24. */
  25. str[len] = '\0';
  26. v = strtoull(str, &end, 8);
  27. /* std: "Each numeric field is terminated by one or more
  28. * <space> or NUL characters". We must support ' '! */
  29. if (*end != '\0' && *end != ' ') {
  30. int8_t first = str[0];
  31. if (!(first & 0x80))
  32. bb_error_msg_and_die("corrupted octal value in tar header");
  33. /*
  34. * GNU tar uses "base-256 encoding" for very large numbers.
  35. * Encoding is binary, with highest bit always set as a marker
  36. * and sign in next-highest bit:
  37. * 80 00 .. 00 - zero
  38. * bf ff .. ff - largest positive number
  39. * ff ff .. ff - minus 1
  40. * c0 00 .. 00 - smallest negative number
  41. *
  42. * Example of tar file with 8914993153 (0x213600001) byte file.
  43. * Field starts at offset 7c:
  44. * 00070 30 30 30 00 30 30 30 30 30 30 30 00 80 00 00 00 |000.0000000.....|
  45. * 00080 00 00 00 02 13 60 00 01 31 31 31 32 30 33 33 36 |.....`..11120336|
  46. *
  47. * NB: tarballs with NEGATIVE unix times encoded that way were seen!
  48. */
  49. /* Sign-extend 7bit 'first' to 64bit 'v' (that is, using 6th bit as sign): */
  50. first <<= 1;
  51. first >>= 1; /* now 7th bit = 6th bit */
  52. v = first; /* sign-extend 8 bits to 64 */
  53. while (--len != 0)
  54. v = (v << 8) + (uint8_t) *++str;
  55. }
  56. return v;
  57. }
  58. #define GET_OCTAL(a) getOctal((a), sizeof(a))
  59. #define TAR_EXTD (ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX)
  60. #if !TAR_EXTD
  61. #define process_pax_hdr(archive_handle, sz, global) \
  62. process_pax_hdr(archive_handle, sz)
  63. #endif
  64. /* "global" is 0 or 1 */
  65. static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int global)
  66. {
  67. #if !TAR_EXTD
  68. unsigned blk_sz = (sz + 511) & (~511);
  69. seek_by_read(archive_handle->src_fd, blk_sz);
  70. #else
  71. unsigned blk_sz = (sz + 511) & (~511);
  72. char *buf, *p;
  73. p = buf = xmalloc(blk_sz + 1);
  74. xread(archive_handle->src_fd, buf, blk_sz);
  75. archive_handle->offset += blk_sz;
  76. /* prevent bb_strtou from running off the buffer */
  77. buf[sz] = '\0';
  78. while (sz != 0) {
  79. char *end, *value;
  80. unsigned len;
  81. /* Every record has this format: "LEN NAME=VALUE\n" */
  82. len = bb_strtou(p, &end, 10);
  83. /* expect errno to be EINVAL, because the character
  84. * following the digits should be a space
  85. */
  86. p += len;
  87. sz -= len;
  88. if (
  89. /** (int)sz < 0 - not good enough for huge malicious VALUE of 2^32-1 */
  90. (int)(sz|len) < 0 /* this works */
  91. || len == 0
  92. || errno != EINVAL
  93. || *end != ' '
  94. ) {
  95. bb_error_msg("malformed extended header, skipped");
  96. // More verbose version:
  97. //bb_error_msg("malformed extended header at %"OFF_FMT"d, skipped",
  98. // archive_handle->offset - (sz + len));
  99. break;
  100. }
  101. /* overwrite the terminating newline with NUL
  102. * (we do not bother to check that it *was* a newline)
  103. */
  104. p[-1] = '\0';
  105. value = end + 1;
  106. # if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
  107. if (!global && is_prefixed_with(value, "path=")) {
  108. value += sizeof("path=") - 1;
  109. free(archive_handle->tar__longname);
  110. archive_handle->tar__longname = xstrdup(value);
  111. continue;
  112. }
  113. # endif
  114. # if ENABLE_FEATURE_TAR_SELINUX
  115. /* Scan for SELinux contexts, via "RHT.security.selinux" keyword.
  116. * This is what Red Hat's patched version of tar uses.
  117. */
  118. # define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux"
  119. if (is_prefixed_with(value, SELINUX_CONTEXT_KEYWORD"=")) {
  120. value += sizeof(SELINUX_CONTEXT_KEYWORD"=") - 1;
  121. free(archive_handle->tar__sctx[global]);
  122. archive_handle->tar__sctx[global] = xstrdup(value);
  123. continue;
  124. }
  125. # endif
  126. }
  127. free(buf);
  128. #endif
  129. }
  130. char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
  131. {
  132. file_header_t *file_header = archive_handle->file_header;
  133. struct tar_header_t tar;
  134. char *cp;
  135. int i, sum_u, sum;
  136. #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
  137. int sum_s;
  138. #endif
  139. int parse_names;
  140. /* Our "private data" */
  141. #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
  142. # define p_longname (archive_handle->tar__longname)
  143. # define p_linkname (archive_handle->tar__linkname)
  144. #else
  145. # define p_longname 0
  146. # define p_linkname 0
  147. #endif
  148. #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX
  149. again:
  150. #endif
  151. /* Align header */
  152. data_align(archive_handle, 512);
  153. again_after_align:
  154. #if ENABLE_DESKTOP || ENABLE_FEATURE_TAR_AUTODETECT
  155. /* to prevent misdetection of bz2 sig */
  156. *(aliased_uint32_t*)&tar = 0;
  157. i = full_read(archive_handle->src_fd, &tar, 512);
  158. /* If GNU tar sees EOF in above read, it says:
  159. * "tar: A lone zero block at N", where N = kilobyte
  160. * where EOF was met (not EOF block, actual EOF!),
  161. * and exits with EXIT_SUCCESS.
  162. * We will mimic exit(EXIT_SUCCESS), although we will not mimic
  163. * the message and we don't check whether we indeed
  164. * saw zero block directly before this. */
  165. if (i == 0) {
  166. bb_error_msg("short read");
  167. /* this merely signals end of archive, not exit(1): */
  168. return EXIT_FAILURE;
  169. }
  170. if (i != 512) {
  171. IF_FEATURE_TAR_AUTODETECT(goto autodetect;)
  172. bb_error_msg_and_die("short read");
  173. }
  174. #else
  175. i = 512;
  176. xread(archive_handle->src_fd, &tar, i);
  177. #endif
  178. archive_handle->offset += i;
  179. /* If there is no filename its an empty header */
  180. if (tar.name[0] == 0 && tar.prefix[0] == 0) {
  181. if (archive_handle->tar__end) {
  182. /* Second consecutive empty header - end of archive.
  183. * Read until the end to empty the pipe from gz or bz2
  184. */
  185. while (full_read(archive_handle->src_fd, &tar, 512) == 512)
  186. continue;
  187. return EXIT_FAILURE; /* "end of archive" */
  188. }
  189. archive_handle->tar__end = 1;
  190. return EXIT_SUCCESS; /* "decoded one header" */
  191. }
  192. archive_handle->tar__end = 0;
  193. /* Check header has valid magic, "ustar" is for the proper tar,
  194. * five NULs are for the old tar format */
  195. if (!is_prefixed_with(tar.magic, "ustar")
  196. && (!ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
  197. || memcmp(tar.magic, "\0\0\0\0", 5) != 0)
  198. ) {
  199. #if ENABLE_FEATURE_TAR_AUTODETECT
  200. autodetect:
  201. /* Two different causes for lseek() != 0:
  202. * unseekable fd (would like to support that too, but...),
  203. * or not first block (false positive, it's not .gz/.bz2!) */
  204. if (lseek(archive_handle->src_fd, -i, SEEK_CUR) != 0)
  205. goto err;
  206. if (setup_unzip_on_fd(archive_handle->src_fd, /*fail_if_not_compressed:*/ 0) != 0)
  207. err:
  208. bb_error_msg_and_die("invalid tar magic");
  209. archive_handle->offset = 0;
  210. goto again_after_align;
  211. #endif
  212. bb_error_msg_and_die("invalid tar magic");
  213. }
  214. /* Do checksum on headers.
  215. * POSIX says that checksum is done on unsigned bytes, but
  216. * Sun and HP-UX gets it wrong... more details in
  217. * GNU tar source. */
  218. #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
  219. sum_s = ' ' * sizeof(tar.chksum);
  220. #endif
  221. sum_u = ' ' * sizeof(tar.chksum);
  222. for (i = 0; i < 148; i++) {
  223. sum_u += ((unsigned char*)&tar)[i];
  224. #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
  225. sum_s += ((signed char*)&tar)[i];
  226. #endif
  227. }
  228. for (i = 156; i < 512; i++) {
  229. sum_u += ((unsigned char*)&tar)[i];
  230. #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
  231. sum_s += ((signed char*)&tar)[i];
  232. #endif
  233. }
  234. /* This field does not need special treatment (getOctal) */
  235. {
  236. char *endp; /* gcc likes temp var for &endp */
  237. sum = strtoul(tar.chksum, &endp, 8);
  238. if ((*endp != '\0' && *endp != ' ')
  239. || (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum))
  240. ) {
  241. bb_error_msg_and_die("invalid tar header checksum");
  242. }
  243. }
  244. /* don't use xstrtoul, tar.chksum may have leading spaces */
  245. sum = strtoul(tar.chksum, NULL, 8);
  246. if (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum)) {
  247. bb_error_msg_and_die("invalid tar header checksum");
  248. }
  249. /* 0 is reserved for high perf file, treat as normal file */
  250. if (!tar.typeflag) tar.typeflag = '0';
  251. parse_names = (tar.typeflag >= '0' && tar.typeflag <= '7');
  252. /* getOctal trashes subsequent field, therefore we call it
  253. * on fields in reverse order */
  254. if (tar.devmajor[0]) {
  255. char t = tar.prefix[0];
  256. /* we trash prefix[0] here, but we DO need it later! */
  257. unsigned minor = GET_OCTAL(tar.devminor);
  258. unsigned major = GET_OCTAL(tar.devmajor);
  259. file_header->device = makedev(major, minor);
  260. tar.prefix[0] = t;
  261. }
  262. file_header->link_target = NULL;
  263. if (!p_linkname && parse_names && tar.linkname[0]) {
  264. file_header->link_target = xstrndup(tar.linkname, sizeof(tar.linkname));
  265. /* FIXME: what if we have non-link object with link_target? */
  266. /* Will link_target be free()ed? */
  267. }
  268. #if ENABLE_FEATURE_TAR_UNAME_GNAME
  269. file_header->tar__uname = tar.uname[0] ? xstrndup(tar.uname, sizeof(tar.uname)) : NULL;
  270. file_header->tar__gname = tar.gname[0] ? xstrndup(tar.gname, sizeof(tar.gname)) : NULL;
  271. #endif
  272. file_header->mtime = GET_OCTAL(tar.mtime);
  273. file_header->size = GET_OCTAL(tar.size);
  274. file_header->gid = GET_OCTAL(tar.gid);
  275. file_header->uid = GET_OCTAL(tar.uid);
  276. /* Set bits 0-11 of the files mode */
  277. file_header->mode = 07777 & GET_OCTAL(tar.mode);
  278. file_header->name = NULL;
  279. if (!p_longname && parse_names) {
  280. /* we trash mode[0] here, it's ok */
  281. //tar.name[sizeof(tar.name)] = '\0'; - gcc 4.3.0 would complain
  282. tar.mode[0] = '\0';
  283. if (tar.prefix[0]) {
  284. /* and padding[0] */
  285. //tar.prefix[sizeof(tar.prefix)] = '\0'; - gcc 4.3.0 would complain
  286. tar.padding[0] = '\0';
  287. file_header->name = concat_path_file(tar.prefix, tar.name);
  288. } else
  289. file_header->name = xstrdup(tar.name);
  290. }
  291. /* Set bits 12-15 of the files mode */
  292. /* (typeflag was not trashed because chksum does not use getOctal) */
  293. switch (tar.typeflag) {
  294. case '1': /* hardlink */
  295. /* we mark hardlinks as regular files with zero size and a link name */
  296. file_header->mode |= S_IFREG;
  297. /* on size of link fields from star(4)
  298. * ... For tar archives written by pre POSIX.1-1988
  299. * implementations, the size field usually contains the size of
  300. * the file and needs to be ignored as no data may follow this
  301. * header type. For POSIX.1- 1988 compliant archives, the size
  302. * field needs to be 0. For POSIX.1-2001 compliant archives,
  303. * the size field may be non zero, indicating that file data is
  304. * included in the archive.
  305. * i.e; always assume this is zero for safety.
  306. */
  307. goto size0;
  308. case '7':
  309. /* case 0: */
  310. case '0':
  311. #if ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
  312. if (last_char_is(file_header->name, '/')) {
  313. goto set_dir;
  314. }
  315. #endif
  316. file_header->mode |= S_IFREG;
  317. break;
  318. case '2':
  319. file_header->mode |= S_IFLNK;
  320. /* have seen tarballs with size field containing
  321. * the size of the link target's name */
  322. size0:
  323. file_header->size = 0;
  324. break;
  325. case '3':
  326. file_header->mode |= S_IFCHR;
  327. goto size0; /* paranoia */
  328. case '4':
  329. file_header->mode |= S_IFBLK;
  330. goto size0;
  331. case '5':
  332. IF_FEATURE_TAR_OLDGNU_COMPATIBILITY(set_dir:)
  333. file_header->mode |= S_IFDIR;
  334. goto size0;
  335. case '6':
  336. file_header->mode |= S_IFIFO;
  337. goto size0;
  338. case 'g': /* pax global header */
  339. case 'x': { /* pax extended header */
  340. if ((uoff_t)file_header->size > 0xfffff) /* paranoia */
  341. goto skip_ext_hdr;
  342. process_pax_hdr(archive_handle, file_header->size, (tar.typeflag == 'g'));
  343. goto again_after_align;
  344. #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
  345. /* See http://www.gnu.org/software/tar/manual/html_node/Extensions.html */
  346. case 'L':
  347. /* free: paranoia: tar with several consecutive longnames */
  348. free(p_longname);
  349. /* For paranoia reasons we allocate extra NUL char */
  350. p_longname = xzalloc(file_header->size + 1);
  351. /* We read ASCIZ string, including NUL */
  352. xread(archive_handle->src_fd, p_longname, file_header->size);
  353. archive_handle->offset += file_header->size;
  354. /* return get_header_tar(archive_handle); */
  355. /* gcc 4.1.1 didn't optimize it into jump */
  356. /* so we will do it ourself, this also saves stack */
  357. goto again;
  358. case 'K':
  359. free(p_linkname);
  360. p_linkname = xzalloc(file_header->size + 1);
  361. xread(archive_handle->src_fd, p_linkname, file_header->size);
  362. archive_handle->offset += file_header->size;
  363. /* return get_header_tar(archive_handle); */
  364. goto again;
  365. /*
  366. * case 'S': // Sparse file
  367. * Was seen in the wild. Not supported (yet?).
  368. * See https://www.gnu.org/software/tar/manual/html_section/tar_92.html
  369. * for the format. (An "Old GNU Format" was seen, not PAX formats).
  370. */
  371. // case 'D': /* GNU dump dir */
  372. // case 'M': /* Continuation of multi volume archive */
  373. // case 'N': /* Old GNU for names > 100 characters */
  374. // case 'V': /* Volume header */
  375. #endif
  376. }
  377. skip_ext_hdr:
  378. {
  379. off_t sz;
  380. bb_error_msg("warning: skipping header '%c'", tar.typeflag);
  381. sz = (file_header->size + 511) & ~(off_t)511;
  382. archive_handle->offset += sz;
  383. sz >>= 9; /* sz /= 512 but w/o contortions for signed div */
  384. while (sz--)
  385. xread(archive_handle->src_fd, &tar, 512);
  386. /* return get_header_tar(archive_handle); */
  387. goto again_after_align;
  388. }
  389. default:
  390. bb_error_msg_and_die("unknown typeflag: 0x%x", tar.typeflag);
  391. }
  392. #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
  393. if (p_longname) {
  394. file_header->name = p_longname;
  395. p_longname = NULL;
  396. }
  397. if (p_linkname) {
  398. file_header->link_target = p_linkname;
  399. p_linkname = NULL;
  400. }
  401. #endif
  402. /* Everything up to and including last ".." component is stripped */
  403. overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
  404. //TODO: do the same for file_header->link_target?
  405. /* Strip trailing '/' in directories */
  406. /* Must be done after mode is set as '/' is used to check if it's a directory */
  407. cp = last_char_is(file_header->name, '/');
  408. if (archive_handle->filter(archive_handle) == EXIT_SUCCESS) {
  409. archive_handle->action_header(/*archive_handle->*/ file_header);
  410. /* Note that we kill the '/' only after action_header() */
  411. /* (like GNU tar 1.15.1: verbose mode outputs "dir/dir/") */
  412. if (cp)
  413. *cp = '\0';
  414. archive_handle->action_data(archive_handle);
  415. if (archive_handle->accept || archive_handle->reject
  416. || (archive_handle->ah_flags & ARCHIVE_REMEMBER_NAMES)
  417. ) {
  418. llist_add_to(&archive_handle->passed, file_header->name);
  419. } else /* Caller isn't interested in list of unpacked files */
  420. free(file_header->name);
  421. } else {
  422. data_skip(archive_handle);
  423. free(file_header->name);
  424. }
  425. archive_handle->offset += file_header->size;
  426. free(file_header->link_target);
  427. /* Do not free(file_header->name)!
  428. * It might be inserted in archive_handle->passed - see above */
  429. #if ENABLE_FEATURE_TAR_UNAME_GNAME
  430. free(file_header->tar__uname);
  431. free(file_header->tar__gname);
  432. #endif
  433. return EXIT_SUCCESS; /* "decoded one header" */
  434. }