1 /* vi: set sw=4 ts=4: */
2 /*
3 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
4 *
5 * FIXME:
6 * In privileged mode if uname and gname map to a uid and gid then use the
7 * mapped value instead of the uid/gid values in tar header
8 *
9 * References:
10 * GNU tar and star man pages,
11 * Opengroup's ustar interchange format,
12 * http://www.opengroup.org/onlinepubs/007904975/utilities/pax.html
13 */
14 #include "libbb.h"
15 #include "bb_archive.h"
16
17 typedef uint32_t aliased_uint32_t FIX_ALIASING;
18 typedef off_t aliased_off_t FIX_ALIASING;
19
20 /* NB: _DESTROYS_ str[len] character! */
getOctal(char * str,int len)21 static unsigned long long getOctal(char *str, int len)
22 {
23 unsigned long long v;
24 char *end;
25 /* NB: leading spaces are allowed. Using strtoull to handle that.
26 * The downside is that we accept e.g. "-123" too :(
27 */
28 str[len] = '\0';
29 v = strtoull(str, &end, 8);
30 /* std: "Each numeric field is terminated by one or more
31 * <space> or NUL characters". We must support ' '! */
32 if (*end != '\0' && *end != ' ') {
33 int8_t first = str[0];
34 if (!(first & 0x80))
35 bb_simple_error_msg_and_die("corrupted octal value in tar header");
36 /*
37 * GNU tar uses "base-256 encoding" for very large numbers.
38 * Encoding is binary, with highest bit always set as a marker
39 * and sign in next-highest bit:
40 * 80 00 .. 00 - zero
41 * bf ff .. ff - largest positive number
42 * ff ff .. ff - minus 1
43 * c0 00 .. 00 - smallest negative number
44 *
45 * Example of tar file with 8914993153 (0x213600001) byte file.
46 * Field starts at offset 7c:
47 * 00070 30 30 30 00 30 30 30 30 30 30 30 00 80 00 00 00 |000.0000000.....|
48 * 00080 00 00 00 02 13 60 00 01 31 31 31 32 30 33 33 36 |.....`..11120336|
49 *
50 * NB: tarballs with NEGATIVE unix times encoded that way were seen!
51 */
52 /* Sign-extend 7bit 'first' to 64bit 'v' (that is, using 6th bit as sign): */
53 first <<= 1;
54 first >>= 1; /* now 7th bit = 6th bit */
55 v = first; /* sign-extend 8 bits to 64 */
56 while (--len != 0)
57 v = (v << 8) + (uint8_t) *++str;
58 }
59 return v;
60 }
61 #define GET_OCTAL(a) getOctal((a), sizeof(a))
62
63 #define TAR_EXTD (ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX)
64 #if !TAR_EXTD
65 #define process_pax_hdr(archive_handle, sz, global) \
66 process_pax_hdr(archive_handle, sz)
67 #endif
68 /* "global" is 0 or 1 */
process_pax_hdr(archive_handle_t * archive_handle,unsigned sz,int global)69 static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int global)
70 {
71 #if !TAR_EXTD
72 unsigned blk_sz = (sz + 511) & (~511);
73 seek_by_read(archive_handle->src_fd, blk_sz);
74 #else
75 unsigned blk_sz = (sz + 511) & (~511);
76 char *buf, *p;
77
78 p = buf = xmalloc(blk_sz + 1);
79 xread(archive_handle->src_fd, buf, blk_sz);
80 archive_handle->offset += blk_sz;
81
82 /* prevent bb_strtou from running off the buffer */
83 buf[sz] = '\0';
84
85 while (sz != 0) {
86 char *end, *value;
87 unsigned len;
88
89 /* Every record has this format: "LEN NAME=VALUE\n" */
90 len = bb_strtou(p, &end, 10);
91 /* expect errno to be EINVAL, because the character
92 * following the digits should be a space
93 */
94 p += len;
95 sz -= len;
96 if (
97 /** (int)sz < 0 - not good enough for huge malicious VALUE of 2^32-1 */
98 (int)(sz|len) < 0 /* this works */
99 || len == 0
100 || errno != EINVAL
101 || *end != ' '
102 ) {
103 bb_simple_error_msg("malformed extended header, skipped");
104 // More verbose version:
105 //bb_error_msg("malformed extended header at %"OFF_FMT"d, skipped",
106 // archive_handle->offset - (sz + len));
107 break;
108 }
109 /* overwrite the terminating newline with NUL
110 * (we do not bother to check that it *was* a newline)
111 */
112 p[-1] = '\0';
113 value = end + 1;
114
115 # if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
116 if (!global) {
117 if (is_prefixed_with(value, "path=")) {
118 value += sizeof("path=") - 1;
119 free(archive_handle->tar__longname);
120 archive_handle->tar__longname = xstrdup(value);
121 continue;
122 }
123 if (is_prefixed_with(value, "linkpath=")) {
124 value += sizeof("linkpath=") - 1;
125 free(archive_handle->tar__linkname);
126 archive_handle->tar__linkname = xstrdup(value);
127 continue;
128 }
129 }
130 # endif
131
132 # if ENABLE_FEATURE_TAR_SELINUX
133 /* Scan for SELinux contexts, via "RHT.security.selinux" keyword.
134 * This is what Red Hat's patched version of tar uses.
135 */
136 # define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux"
137 if (is_prefixed_with(value, SELINUX_CONTEXT_KEYWORD"=")) {
138 value += sizeof(SELINUX_CONTEXT_KEYWORD"=") - 1;
139 free(archive_handle->tar__sctx[global]);
140 archive_handle->tar__sctx[global] = xstrdup(value);
141 continue;
142 }
143 # endif
144 }
145
146 free(buf);
147 #endif
148 }
149
die_if_bad_fnamesize(off_t sz)150 static void die_if_bad_fnamesize(off_t sz)
151 {
152 if ((uoff_t)sz > 0xfff) /* more than 4k?! no funny business please */
153 bb_simple_error_msg_and_die("bad archive");
154 }
155
get_header_tar(archive_handle_t * archive_handle)156 char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
157 {
158 file_header_t *file_header = archive_handle->file_header;
159 struct tar_header_t tar;
160 char *cp;
161 int tar_typeflag; /* can be "char", "int" seems give smaller code */
162 int i, sum_u, sum;
163 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
164 int sum_s;
165 #endif
166 int parse_names;
167
168 /* Our "private data" */
169 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
170 # define p_longname (archive_handle->tar__longname)
171 # define p_linkname (archive_handle->tar__linkname)
172 #else
173 # define p_longname 0
174 # define p_linkname 0
175 #endif
176
177 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS || ENABLE_FEATURE_TAR_SELINUX
178 again:
179 #endif
180 /* Align header */
181 data_align(archive_handle, 512);
182
183 again_after_align:
184
185 #if ENABLE_DESKTOP || ENABLE_FEATURE_TAR_AUTODETECT
186 /* to prevent misdetection of bz2 sig */
187 *(aliased_uint32_t*)&tar = 0;
188 i = full_read(archive_handle->src_fd, &tar, 512);
189 /* If GNU tar sees EOF in above read, it says:
190 * "tar: A lone zero block at N", where N = kilobyte
191 * where EOF was met (not EOF block, actual EOF!),
192 * and exits with EXIT_SUCCESS.
193 * We will mimic exit(EXIT_SUCCESS), although we will not mimic
194 * the message and we don't check whether we indeed
195 * saw zero block directly before this. */
196 if (i == 0) {
197 /* GNU tar 1.29 will be silent if tar archive ends abruptly
198 * (if there are no zero blocks at all, and last read returns zero,
199 * not short read 0 < len < 512). Complain only if
200 * the very first read fails. Grrr.
201 */
202 if (archive_handle->offset == 0)
203 bb_simple_error_msg("short read");
204 /* this merely signals end of archive, not exit(1): */
205 return EXIT_FAILURE;
206 }
207 if (i != 512) {
208 IF_FEATURE_TAR_AUTODETECT(goto autodetect;)
209 bb_simple_error_msg_and_die("short read");
210 }
211
212 #else
213 i = 512;
214 xread(archive_handle->src_fd, &tar, i);
215 #endif
216 archive_handle->offset += i;
217
218 /* If there is no filename its an empty header */
219 if (tar.name[0] == 0 && tar.prefix[0] == 0
220 /* Have seen a tar archive with pax 'x' header supplying UTF8 filename,
221 * with actual file having all name fields NUL-filled. Check this: */
222 && !p_longname
223 ) {
224 if (archive_handle->tar__end) {
225 /* Second consecutive empty header - end of archive.
226 * Read until the end to empty the pipe from gz or bz2
227 */
228 while (full_read(archive_handle->src_fd, &tar, 512) == 512)
229 continue;
230 return EXIT_FAILURE; /* "end of archive" */
231 }
232 archive_handle->tar__end = 1;
233 return EXIT_SUCCESS; /* "decoded one header" */
234 }
235 archive_handle->tar__end = 0;
236
237 /* Check header has valid magic, "ustar" is for the proper tar,
238 * five NULs are for the old tar format */
239 if (!is_prefixed_with(tar.magic, "ustar")
240 && (!ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
241 || memcmp(tar.magic, "\0\0\0\0", 5) != 0)
242 ) {
243 #if ENABLE_FEATURE_TAR_AUTODETECT
244 autodetect:
245 /* Two different causes for lseek() != 0:
246 * unseekable fd (would like to support that too, but...),
247 * or not first block (false positive, it's not .gz/.bz2!) */
248 if (lseek(archive_handle->src_fd, -i, SEEK_CUR) != 0)
249 goto err;
250 if (setup_unzip_on_fd(archive_handle->src_fd, /*fail_if_not_compressed:*/ 0) != 0)
251 err:
252 bb_simple_error_msg_and_die("invalid tar magic");
253 archive_handle->offset = 0;
254 goto again_after_align;
255 #endif
256 bb_simple_error_msg_and_die("invalid tar magic");
257 }
258
259 /* Do checksum on headers.
260 * POSIX says that checksum is done on unsigned bytes, but
261 * Sun and HP-UX gets it wrong... more details in
262 * GNU tar source. */
263 sum_u = ' ' * sizeof(tar.chksum);
264 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
265 sum_s = sum_u;
266 #endif
267 for (i = 0; i < 148; i++) {
268 sum_u += ((unsigned char*)&tar)[i];
269 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
270 sum_s += ((signed char*)&tar)[i];
271 #endif
272 }
273 for (i = 156; i < 512; i++) {
274 sum_u += ((unsigned char*)&tar)[i];
275 #if ENABLE_FEATURE_TAR_OLDSUN_COMPATIBILITY
276 sum_s += ((signed char*)&tar)[i];
277 #endif
278 }
279 /* Most tarfiles have tar.chksum NUL or space terminated, but
280 * github.com decided to be "special" and have unterminated field:
281 * 0090: 30343300 30303031 33323731 30000000 |043.000132710...|
282 * ^^^^^^^^|
283 * Need to use GET_OCTAL. This overwrites tar.typeflag ---+
284 * (the '0' char immediately after chksum in example above) with NUL.
285 */
286 tar_typeflag = (uint8_t)tar.typeflag; /* save it */
287 sum = GET_OCTAL(tar.chksum);
288 if (sum_u != sum
289 IF_FEATURE_TAR_OLDSUN_COMPATIBILITY(&& sum_s != sum)
290 ) {
291 bb_simple_error_msg_and_die("invalid tar header checksum");
292 }
293
294 /* GET_OCTAL trashes subsequent field, therefore we call it
295 * on fields in reverse order */
296 if (tar.devmajor[0]) {
297 char t = tar.prefix[0];
298 /* we trash prefix[0] here, but we DO need it later! */
299 unsigned minor = GET_OCTAL(tar.devminor);
300 unsigned major = GET_OCTAL(tar.devmajor);
301 file_header->device = makedev(major, minor);
302 tar.prefix[0] = t;
303 }
304
305 /* 0 is reserved for high perf file, treat as normal file */
306 if (tar_typeflag == '\0') tar_typeflag = '0';
307 parse_names = (tar_typeflag >= '0' && tar_typeflag <= '7');
308
309 file_header->link_target = NULL;
310 if (!p_linkname && parse_names && tar.linkname[0]) {
311 file_header->link_target = xstrndup(tar.linkname, sizeof(tar.linkname));
312 /* FIXME: what if we have non-link object with link_target? */
313 /* Will link_target be free()ed? */
314 }
315 #if ENABLE_FEATURE_TAR_UNAME_GNAME
316 file_header->tar__uname = tar.uname[0] ? xstrndup(tar.uname, sizeof(tar.uname)) : NULL;
317 file_header->tar__gname = tar.gname[0] ? xstrndup(tar.gname, sizeof(tar.gname)) : NULL;
318 #endif
319 file_header->mtime = GET_OCTAL(tar.mtime);
320 file_header->size = GET_OCTAL(tar.size);
321 file_header->gid = GET_OCTAL(tar.gid);
322 file_header->uid = GET_OCTAL(tar.uid);
323 /* Set bits 0-11 of the files mode */
324 file_header->mode = 07777 & GET_OCTAL(tar.mode);
325
326 file_header->name = NULL;
327 if (!p_longname && parse_names) {
328 /* we trash mode[0] here, it's ok */
329 //tar.name[sizeof(tar.name)] = '\0'; - gcc 4.3.0 would complain
330 tar.mode[0] = '\0';
331 if (tar.prefix[0]) {
332 /* and padding[0] */
333 //tar.prefix[sizeof(tar.prefix)] = '\0'; - gcc 4.3.0 would complain
334 tar.padding[0] = '\0';
335 file_header->name = concat_path_file(tar.prefix, tar.name);
336 } else
337 file_header->name = xstrdup(tar.name);
338 }
339
340 switch (tar_typeflag) {
341 case '1': /* hardlink */
342 /* we mark hardlinks as regular files with zero size and a link name */
343 file_header->mode |= S_IFREG;
344 /* on size of link fields from star(4)
345 * ... For tar archives written by pre POSIX.1-1988
346 * implementations, the size field usually contains the size of
347 * the file and needs to be ignored as no data may follow this
348 * header type. For POSIX.1-1988 compliant archives, the size
349 * field needs to be 0. For POSIX.1-2001 compliant archives,
350 * the size field may be non zero, indicating that file data is
351 * included in the archive.
352 * i.e; always assume this is zero for safety.
353 */
354 goto size0;
355 case '7':
356 /* case 0: */
357 case '0':
358 #if ENABLE_FEATURE_TAR_OLDGNU_COMPATIBILITY
359 if (file_header->name && last_char_is(file_header->name, '/')) {
360 goto set_dir;
361 }
362 #endif
363 file_header->mode |= S_IFREG;
364 break;
365 case '2':
366 file_header->mode |= S_IFLNK;
367 /* have seen tarballs with size field containing
368 * the size of the link target's name */
369 size0:
370 file_header->size = 0;
371 break;
372 case '3':
373 file_header->mode |= S_IFCHR;
374 goto size0; /* paranoia */
375 case '4':
376 file_header->mode |= S_IFBLK;
377 goto size0;
378 case '5':
379 IF_FEATURE_TAR_OLDGNU_COMPATIBILITY(set_dir:)
380 file_header->mode |= S_IFDIR;
381 goto size0;
382 case '6':
383 file_header->mode |= S_IFIFO;
384 goto size0;
385 case 'g': /* pax global header */
386 case 'x': { /* pax extended header */
387 if ((uoff_t)file_header->size > 0xfffff) /* paranoia */
388 goto skip_ext_hdr;
389 process_pax_hdr(archive_handle, file_header->size, (tar_typeflag == 'g'));
390 goto again_after_align;
391 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
392 /* See http://www.gnu.org/software/tar/manual/html_node/Extensions.html */
393 case 'L':
394 /* free: paranoia: tar with several consecutive longnames */
395 free(p_longname);
396 /* For paranoia reasons we allocate extra NUL char */
397 die_if_bad_fnamesize(file_header->size);
398 p_longname = xzalloc(file_header->size + 1);
399 /* We read ASCIZ string, including NUL */
400 xread(archive_handle->src_fd, p_longname, file_header->size);
401 archive_handle->offset += file_header->size;
402 /* return get_header_tar(archive_handle); */
403 /* gcc 4.1.1 didn't optimize it into jump */
404 /* so we will do it ourself, this also saves stack */
405 goto again;
406 case 'K':
407 free(p_linkname);
408 die_if_bad_fnamesize(file_header->size);
409 p_linkname = xzalloc(file_header->size + 1);
410 xread(archive_handle->src_fd, p_linkname, file_header->size);
411 archive_handle->offset += file_header->size;
412 /* return get_header_tar(archive_handle); */
413 goto again;
414 /*
415 * case 'S': // Sparse file
416 * Was seen in the wild. Not supported (yet?).
417 * See https://www.gnu.org/software/tar/manual/html_section/tar_92.html
418 * for the format. (An "Old GNU Format" was seen, not PAX formats).
419 */
420 // case 'D': /* GNU dump dir */
421 // case 'M': /* Continuation of multi volume archive */
422 // case 'N': /* Old GNU for names > 100 characters */
423 case 'V': /* Volume header */
424 ; /* Fall through to skip it */
425 #endif
426 }
427 skip_ext_hdr:
428 {
429 off_t sz;
430 bb_error_msg("warning: skipping header '%c'", tar_typeflag);
431 sz = (file_header->size + 511) & ~(off_t)511;
432 archive_handle->offset += sz;
433 sz >>= 9; /* sz /= 512 but w/o contortions for signed div */
434 while (sz--)
435 xread(archive_handle->src_fd, &tar, 512);
436 /* return get_header_tar(archive_handle); */
437 goto again_after_align;
438 }
439 default:
440 bb_error_msg_and_die("unknown typeflag: 0x%x", tar_typeflag);
441 }
442
443 #if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
444 if (p_longname) {
445 file_header->name = p_longname;
446 p_longname = NULL;
447 }
448 if (p_linkname) {
449 file_header->link_target = p_linkname;
450 p_linkname = NULL;
451 }
452 #endif
453
454 /* Everything up to and including last ".." component is stripped */
455 overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
456 //TODO: do the same for file_header->link_target?
457
458 /* Strip trailing '/' in directories */
459 /* Must be done after mode is set as '/' is used to check if it's a directory */
460 cp = last_char_is(file_header->name, '/');
461
462 if (archive_handle->filter(archive_handle) == EXIT_SUCCESS) {
463 archive_handle->action_header(/*archive_handle->*/ file_header);
464 /* Note that we kill the '/' only after action_header() */
465 /* (like GNU tar 1.15.1: verbose mode outputs "dir/dir/") */
466 if (cp)
467 *cp = '\0';
468 archive_handle->action_data(archive_handle);
469 if (archive_handle->accept || archive_handle->reject
470 || (archive_handle->ah_flags & ARCHIVE_REMEMBER_NAMES)
471 ) {
472 llist_add_to(&archive_handle->passed, file_header->name);
473 } else /* Caller isn't interested in list of unpacked files */
474 free(file_header->name);
475 } else {
476 data_skip(archive_handle);
477 free(file_header->name);
478 }
479 archive_handle->offset += file_header->size;
480
481 free(file_header->link_target);
482 /* Do not free(file_header->name)!
483 * It might be inserted in archive_handle->passed - see above */
484 #if ENABLE_FEATURE_TAR_UNAME_GNAME
485 free(file_header->tar__uname);
486 free(file_header->tar__gname);
487 #endif
488 return EXIT_SUCCESS; /* "decoded one header" */
489 }
490