blob: c7e3bc16e411daa2cfc0100f147e30cbd41ea3bb
1 | /* vi: set sw=4 ts=4: */ |
2 | /* Licensed under GPLv2 or later, see file LICENSE in this source tree. |
3 | * |
4 | * FIXME: |
5 | * In privileged mode if uname and gname map to a uid and gid then use the |
6 | * mapped value instead of the uid/gid values in tar header |
7 | * |
8 | * References: |
9 | * GNU tar and star man pages, |
10 | * Opengroup's ustar interchange format, |
11 | * http://www.opengroup.org/onlinepubs/007904975/utilities/pax.html |
12 | */ |
13 | |
14 | #include "libbb.h" |
15 | #include "bb_archive.h" |
16 | |
17 | typedef uint32_t aliased_uint32_t FIX_ALIASING; |
18 | typedef off_t aliased_off_t FIX_ALIASING; |
19 | |
20 | /* NB: _DESTROYS_ str[len] character! */ |
21 | static unsigned long long getOctal(char *str, int len) |
22 | { |
23 | unsigned long long v; |
24 | char *end; |
25 | /* NB: leading spaces are allowed. Using strtoull to handle that. |
26 | * The downside is that we accept e.g. "-123" too :( |
27 | */ |
28 | str[len] = '\0'; |
29 | v = strtoull(str, &end, 8); |
30 | /* std: "Each numeric field is terminated by one or more |
31 | * <space> or NUL characters". We must support ' '! */ |
32 | if (*end != '\0' && *end != ' ') { |
33 | int8_t first = str[0]; |
34 | if (!(first & 0x80)) |
35 | bb_error_msg_and_die("corrupted octal value in tar header"); |
36 | /* |
37 | * GNU tar uses "base-256 encoding" for very large numbers. |
38 | * Encoding is binary, with highest bit always set as a marker |
39 | * and sign in next-highest bit: |
40 | * 80 00 .. 00 - zero |
41 | * bf ff .. ff - largest positive number |
42 | * ff ff .. ff - minus 1 |
43 | * c0 00 .. 00 - smallest negative number |
44 | * |
45 | * Example of tar file with 8914993153 (0x213600001) byte file. |
46 | * Field starts at offset 7c: |
47 | * 00070 30 30 30 00 30 30 30 30 30 30 30 00 80 00 00 00 |000.0000000.....| |
48 | * 00080 00 00 00 02 13 60 00 01 31 31 31 32 30 33 33 36 |.....`..11120336| |
49 | * |
50 | * NB: tarballs with NEGATIVE unix times encoded that way were seen! |
51 | */ |
52 | /* Sign-extend 7bit 'first' to 64bit 'v' (that is, using 6th bit as sign): */ |
53 | first <<= 1; |
54 | first >>= 1; /* now 7th bit = 6th bit */ |
55 | v = first; /* sign-extend 8 bits to 64 */ |
56 | while (--len != 0) |
57 | v = (v << 8) + (uint8_t) *++str; |
58 | } |
59 | return v; |
60 | } |
61 | #define GET_OCTAL(a) getOctal((a), sizeof(a)) |
62 | |
63 | #define TAR_EXTD (ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX) |
64 | #if !TAR_EXTD |
65 | #define process_pax_hdr(archive_handle, sz, global) \ |
66 | process_pax_hdr(archive_handle, sz) |
67 | #endif |
68 | /* "global" is 0 or 1 */ |
69 | static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int global) |
70 | { |
71 | #if !TAR_EXTD |
72 | unsigned blk_sz = (sz + 511) & (~511); |
73 | seek_by_read(archive_handle->src_fd, blk_sz); |
74 | #else |
75 | unsigned blk_sz = (sz + 511) & (~511); |
76 | char *buf, *p; |
77 | |
78 | p = buf = xmalloc(blk_sz + 1); |
79 | xread(archive_handle->src_fd, buf, blk_sz); |
80 | archive_handle->offset += blk_sz; |
81 | |
82 | /* prevent bb_strtou from running off the buffer */ |
83 | buf[sz] = '\0'; |
84 | |
85 | while (sz != 0) { |
86 | char *end, *value; |
87 | unsigned len; |
88 | |
89 | /* Every record has this format: "LEN NAME=VALUE\n" */ |
90 | len = bb_strtou(p, &end, 10); |
91 | /* expect errno to be EINVAL, because the character |
92 | * following the digits should be a space |
93 | */ |
94 | p += len; |
95 | sz -= len; |
96 | if ( |
97 | /** (int)sz < 0 - not good enough for huge malicious VALUE of 2^32-1 */ |
98 | (int)(sz|len) < 0 /* this works */ |
99 | || len == 0 |
100 | || errno != EINVAL |
101 | || *end != ' ' |
102 | ) { |
103 | bb_error_msg("malformed extended header, skipped"); |
104 | // More verbose version: |
105 | //bb_error_msg("malformed extended header at %"OFF_FMT"d, skipped", |
106 | // archive_handle->offset - (sz + len)); |
107 | break; |
108 | } |
109 | /* overwrite the terminating newline with NUL |
110 | * (we do not bother to check that it *was* a newline) |
111 | */ |
112 | p[-1] = '\0'; |
113 | value = end + 1; |
114 | |
115 | # if ENABLE_FEATURE_TAR_GNU_EXTENSIONS |
116 | if (!global) { |
117 | if (is_prefixed_with(value, "path=")) { |
118 | value += sizeof("path=") - 1; |
119 | free(archive_handle->tar__longname); |
120 | archive_handle->tar__longname = xstrdup(value); |
121 | continue; |
122 | } |
123 | if (is_prefixed_with(value, "linkpath=")) { |
124 | value += sizeof("linkpath=") - 1; |
125 | free(archive_handle->tar__linkname); |
126 | archive_handle->tar__linkname = xstrdup(value); |
127 | continue; |
128 | } |
129 | } |
130 | # endif |
131 | |
132 | # if ENABLE_FEATURE_TAR_SELINUX |
133 | /* Scan for SELinux contexts, via "RHT.security.selinux" keyword. |
134 | * This is what Red Hat's patched version of tar uses. |
135 | */ |
136 | # define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux" |
137 | if (is_prefixed_with(value, SELINUX_CONTEXT_KEYWORD"=")) { |
138 | value += sizeof(SELINUX_CONTEXT_KEYWORD"=") - 1; |
139 | free(archive_handle->tar__sctx[global]); |
140 | archive_handle->tar__sctx[global] = xstrdup(value); |
141 | continue; |
142 | } |
143 | # endif |
144 | } |
145 | |
146 | free(buf); |
147 | #endif |
148 | } |
149 | |
150 | char FAST_FUNC get_header_tar(archive_handle_t *archive_handle) |
151 | { |
152 | file_header_t *file_header = archive_handle->file_header; |
153 | struct tar_header_t tar; |
154 | char *cp; |
155 | int i, sum_u, sum; |
156 | #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY |
157 | int sum_s; |
158 | #endif |
159 | int parse_names; |
160 | |
161 | /* Our "private data" */ |
162 | #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS |
163 | # define p_longname (archive_handle->tar__longname) |
164 | # define p_linkname (archive_handle->tar__linkname) |
165 | #else |
166 | # define p_longname 0 |
167 | # define p_linkname 0 |
168 | #endif |
169 | |
170 | #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX |
171 | again: |
172 | #endif |
173 | /* Align header */ |
174 | data_align(archive_handle, 512); |
175 | |
176 | again_after_align: |
177 | |
178 | #if ENABLE_DESKTOP || ENABLE_FEATURE_TAR_AUTODETECT |
179 | /* to prevent misdetection of bz2 sig */ |
180 | *(aliased_uint32_t*)&tar = 0; |
181 | i = full_read(archive_handle->src_fd, &tar, 512); |
182 | /* If GNU tar sees EOF in above read, it says: |
183 | * "tar: A lone zero block at N", where N = kilobyte |
184 | * where EOF was met (not EOF block, actual EOF!), |
185 | * and exits with EXIT_SUCCESS. |
186 | * We will mimic exit(EXIT_SUCCESS), although we will not mimic |
187 | * the message and we don't check whether we indeed |
188 | * saw zero block directly before this. */ |
189 | if (i == 0) { |
190 | /* GNU tar 1.29 will be silent if tar archive ends abruptly |
191 | * (if there are no zero blocks at all, and last read returns zero, |
192 | * not short read 0 < len < 512). Complain only if |
193 | * the very first read fails. Grrr. |
194 | */ |
195 | if (archive_handle->offset == 0) |
196 | bb_error_msg("short read"); |
197 | /* this merely signals end of archive, not exit(1): */ |
198 | return EXIT_FAILURE; |
199 | } |
200 | if (i != 512) { |
201 | IF_FEATURE_TAR_AUTODETECT(goto autodetect;) |
202 | bb_error_msg_and_die("short read"); |
203 | } |
204 | |
205 | #else |
206 | i = 512; |
207 | xread(archive_handle->src_fd, &tar, i); |
208 | #endif |
209 | archive_handle->offset += i; |
210 | |
211 | /* If there is no filename its an empty header */ |
212 | if (tar.name[0] == 0 && tar.prefix[0] == 0 |
213 | /* Have seen a tar archive with pax 'x' header supplying UTF8 filename, |
214 | * with actual file having all name fields NUL-filled. Check this: */ |
215 | && !p_longname |
216 | ) { |
217 | if (archive_handle->tar__end) { |
218 | /* Second consecutive empty header - end of archive. |
219 | * Read until the end to empty the pipe from gz or bz2 |
220 | */ |
221 | while (full_read(archive_handle->src_fd, &tar, 512) == 512) |
222 | continue; |
223 | return EXIT_FAILURE; /* "end of archive" */ |
224 | } |
225 | archive_handle->tar__end = 1; |
226 | return EXIT_SUCCESS; /* "decoded one header" */ |
227 | } |
228 | archive_handle->tar__end = 0; |
229 | |
230 | /* Check header has valid magic, "ustar" is for the proper tar, |
231 | * five NULs are for the old tar format */ |
232 | if (!is_prefixed_with(tar.magic, "ustar") |
233 | && (!ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY |
234 | || memcmp(tar.magic, "\0\0\0\0", 5) != 0) |
235 | ) { |
236 | #if ENABLE_FEATURE_TAR_AUTODETECT |
237 | autodetect: |
238 | /* Two different causes for lseek() != 0: |
239 | * unseekable fd (would like to support that too, but...), |
240 | * or not first block (false positive, it's not .gz/.bz2!) */ |
241 | if (lseek(archive_handle->src_fd, -i, SEEK_CUR) != 0) |
242 | goto err; |
243 | if (setup_unzip_on_fd(archive_handle->src_fd, /*fail_if_not_compressed:*/ 0) != 0) |
244 | err: |
245 | bb_error_msg_and_die("invalid tar magic"); |
246 | archive_handle->offset = 0; |
247 | goto again_after_align; |
248 | #endif |
249 | bb_error_msg_and_die("invalid tar magic"); |
250 | } |
251 | |
252 | /* Do checksum on headers. |
253 | * POSIX says that checksum is done on unsigned bytes, but |
254 | * Sun and HP-UX gets it wrong... more details in |
255 | * GNU tar source. */ |
256 | #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY |
257 | sum_s = ' ' * sizeof(tar.chksum); |
258 | #endif |
259 | sum_u = ' ' * sizeof(tar.chksum); |
260 | for (i = 0; i < 148; i++) { |
261 | sum_u += ((unsigned char*)&tar)[i]; |
262 | #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY |
263 | sum_s += ((signed char*)&tar)[i]; |
264 | #endif |
265 | } |
266 | for (i = 156; i < 512; i++) { |
267 | sum_u += ((unsigned char*)&tar)[i]; |
268 | #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY |
269 | sum_s += ((signed char*)&tar)[i]; |
270 | #endif |
271 | } |
272 | /* This field does not need special treatment (getOctal) */ |
273 | { |
274 | char *endp; /* gcc likes temp var for &endp */ |
275 | sum = strtoul(tar.chksum, &endp, 8); |
276 | if ((*endp != '\0' && *endp != ' ') |
277 | || (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum)) |
278 | ) { |
279 | bb_error_msg_and_die("invalid tar header checksum"); |
280 | } |
281 | } |
282 | /* don't use xstrtoul, tar.chksum may have leading spaces */ |
283 | sum = strtoul(tar.chksum, NULL, 8); |
284 | if (sum_u != sum IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum)) { |
285 | bb_error_msg_and_die("invalid tar header checksum"); |
286 | } |
287 | |
288 | /* 0 is reserved for high perf file, treat as normal file */ |
289 | if (!tar.typeflag) tar.typeflag = '0'; |
290 | parse_names = (tar.typeflag >= '0' && tar.typeflag <= '7'); |
291 | |
292 | /* getOctal trashes subsequent field, therefore we call it |
293 | * on fields in reverse order */ |
294 | if (tar.devmajor[0]) { |
295 | char t = tar.prefix[0]; |
296 | /* we trash prefix[0] here, but we DO need it later! */ |
297 | unsigned minor = GET_OCTAL(tar.devminor); |
298 | unsigned major = GET_OCTAL(tar.devmajor); |
299 | file_header->device = makedev(major, minor); |
300 | tar.prefix[0] = t; |
301 | } |
302 | file_header->link_target = NULL; |
303 | if (!p_linkname && parse_names && tar.linkname[0]) { |
304 | file_header->link_target = xstrndup(tar.linkname, sizeof(tar.linkname)); |
305 | /* FIXME: what if we have non-link object with link_target? */ |
306 | /* Will link_target be free()ed? */ |
307 | } |
308 | #if ENABLE_FEATURE_TAR_UNAME_GNAME |
309 | file_header->tar__uname = tar.uname[0] ? xstrndup(tar.uname, sizeof(tar.uname)) : NULL; |
310 | file_header->tar__gname = tar.gname[0] ? xstrndup(tar.gname, sizeof(tar.gname)) : NULL; |
311 | #endif |
312 | file_header->mtime = GET_OCTAL(tar.mtime); |
313 | file_header->size = GET_OCTAL(tar.size); |
314 | file_header->gid = GET_OCTAL(tar.gid); |
315 | file_header->uid = GET_OCTAL(tar.uid); |
316 | /* Set bits 0-11 of the files mode */ |
317 | file_header->mode = 07777 & GET_OCTAL(tar.mode); |
318 | |
319 | file_header->name = NULL; |
320 | if (!p_longname && parse_names) { |
321 | /* we trash mode[0] here, it's ok */ |
322 | //tar.name[sizeof(tar.name)] = '\0'; - gcc 4.3.0 would complain |
323 | tar.mode[0] = '\0'; |
324 | if (tar.prefix[0]) { |
325 | /* and padding[0] */ |
326 | //tar.prefix[sizeof(tar.prefix)] = '\0'; - gcc 4.3.0 would complain |
327 | tar.padding[0] = '\0'; |
328 | file_header->name = concat_path_file(tar.prefix, tar.name); |
329 | } else |
330 | file_header->name = xstrdup(tar.name); |
331 | } |
332 | |
333 | /* Set bits 12-15 of the files mode */ |
334 | /* (typeflag was not trashed because chksum does not use getOctal) */ |
335 | switch (tar.typeflag) { |
336 | case '1': /* hardlink */ |
337 | /* we mark hardlinks as regular files with zero size and a link name */ |
338 | file_header->mode |= S_IFREG; |
339 | /* on size of link fields from star(4) |
340 | * ... For tar archives written by pre POSIX.1-1988 |
341 | * implementations, the size field usually contains the size of |
342 | * the file and needs to be ignored as no data may follow this |
343 | * header type. For POSIX.1- 1988 compliant archives, the size |
344 | * field needs to be 0. For POSIX.1-2001 compliant archives, |
345 | * the size field may be non zero, indicating that file data is |
346 | * included in the archive. |
347 | * i.e; always assume this is zero for safety. |
348 | */ |
349 | goto size0; |
350 | case '7': |
351 | /* case 0: */ |
352 | case '0': |
353 | #if ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY |
354 | if (last_char_is(file_header->name, '/')) { |
355 | goto set_dir; |
356 | } |
357 | #endif |
358 | file_header->mode |= S_IFREG; |
359 | break; |
360 | case '2': |
361 | file_header->mode |= S_IFLNK; |
362 | /* have seen tarballs with size field containing |
363 | * the size of the link target's name */ |
364 | size0: |
365 | file_header->size = 0; |
366 | break; |
367 | case '3': |
368 | file_header->mode |= S_IFCHR; |
369 | goto size0; /* paranoia */ |
370 | case '4': |
371 | file_header->mode |= S_IFBLK; |
372 | goto size0; |
373 | case '5': |
374 | IF_FEATURE_TAR_OLDGNU_COMPATIBILITY(set_dir:) |
375 | file_header->mode |= S_IFDIR; |
376 | goto size0; |
377 | case '6': |
378 | file_header->mode |= S_IFIFO; |
379 | goto size0; |
380 | case 'g': /* pax global header */ |
381 | case 'x': { /* pax extended header */ |
382 | if ((uoff_t)file_header->size > 0xfffff) /* paranoia */ |
383 | goto skip_ext_hdr; |
384 | process_pax_hdr(archive_handle, file_header->size, (tar.typeflag == 'g')); |
385 | goto again_after_align; |
386 | #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS |
387 | /* See http://www.gnu.org/software/tar/manual/html_node/Extensions.html */ |
388 | case 'L': |
389 | /* free: paranoia: tar with several consecutive longnames */ |
390 | free(p_longname); |
391 | /* For paranoia reasons we allocate extra NUL char */ |
392 | p_longname = xzalloc(file_header->size + 1); |
393 | /* We read ASCIZ string, including NUL */ |
394 | xread(archive_handle->src_fd, p_longname, file_header->size); |
395 | archive_handle->offset += file_header->size; |
396 | /* return get_header_tar(archive_handle); */ |
397 | /* gcc 4.1.1 didn't optimize it into jump */ |
398 | /* so we will do it ourself, this also saves stack */ |
399 | goto again; |
400 | case 'K': |
401 | free(p_linkname); |
402 | p_linkname = xzalloc(file_header->size + 1); |
403 | xread(archive_handle->src_fd, p_linkname, file_header->size); |
404 | archive_handle->offset += file_header->size; |
405 | /* return get_header_tar(archive_handle); */ |
406 | goto again; |
407 | /* |
408 | * case 'S': // Sparse file |
409 | * Was seen in the wild. Not supported (yet?). |
410 | * See https://www.gnu.org/software/tar/manual/html_section/tar_92.html |
411 | * for the format. (An "Old GNU Format" was seen, not PAX formats). |
412 | */ |
413 | // case 'D': /* GNU dump dir */ |
414 | // case 'M': /* Continuation of multi volume archive */ |
415 | // case 'N': /* Old GNU for names > 100 characters */ |
416 | // case 'V': /* Volume header */ |
417 | #endif |
418 | } |
419 | skip_ext_hdr: |
420 | { |
421 | off_t sz; |
422 | bb_error_msg("warning: skipping header '%c'", tar.typeflag); |
423 | sz = (file_header->size + 511) & ~(off_t)511; |
424 | archive_handle->offset += sz; |
425 | sz >>= 9; /* sz /= 512 but w/o contortions for signed div */ |
426 | while (sz--) |
427 | xread(archive_handle->src_fd, &tar, 512); |
428 | /* return get_header_tar(archive_handle); */ |
429 | goto again_after_align; |
430 | } |
431 | default: |
432 | bb_error_msg_and_die("unknown typeflag: 0x%x", tar.typeflag); |
433 | } |
434 | |
435 | #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS |
436 | if (p_longname) { |
437 | file_header->name = p_longname; |
438 | p_longname = NULL; |
439 | } |
440 | if (p_linkname) { |
441 | file_header->link_target = p_linkname; |
442 | p_linkname = NULL; |
443 | } |
444 | #endif |
445 | |
446 | /* Everything up to and including last ".." component is stripped */ |
447 | overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name)); |
448 | //TODO: do the same for file_header->link_target? |
449 | |
450 | /* Strip trailing '/' in directories */ |
451 | /* Must be done after mode is set as '/' is used to check if it's a directory */ |
452 | cp = last_char_is(file_header->name, '/'); |
453 | |
454 | if (archive_handle->filter(archive_handle) == EXIT_SUCCESS) { |
455 | archive_handle->action_header(/*archive_handle->*/ file_header); |
456 | /* Note that we kill the '/' only after action_header() */ |
457 | /* (like GNU tar 1.15.1: verbose mode outputs "dir/dir/") */ |
458 | if (cp) |
459 | *cp = '\0'; |
460 | archive_handle->action_data(archive_handle); |
461 | if (archive_handle->accept || archive_handle->reject |
462 | || (archive_handle->ah_flags & ARCHIVE_REMEMBER_NAMES) |
463 | ) { |
464 | llist_add_to(&archive_handle->passed, file_header->name); |
465 | } else /* Caller isn't interested in list of unpacked files */ |
466 | free(file_header->name); |
467 | } else { |
468 | data_skip(archive_handle); |
469 | free(file_header->name); |
470 | } |
471 | archive_handle->offset += file_header->size; |
472 | |
473 | free(file_header->link_target); |
474 | /* Do not free(file_header->name)! |
475 | * It might be inserted in archive_handle->passed - see above */ |
476 | #if ENABLE_FEATURE_TAR_UNAME_GNAME |
477 | free(file_header->tar__uname); |
478 | free(file_header->tar__gname); |
479 | #endif |
480 | return EXIT_SUCCESS; /* "decoded one header" */ |
481 | } |
482 |